数据库安全性指南

yulewo123

贡献于2016-11-07

字数:0 关键词: DB2 数据库服务器

IBM DB2 10.1 for Linux, UNIX, and Windows }]b2+T8O |B1d 2013 j 1 B S151-1753-02  IBM DB2 10.1 for Linux, UNIX, and Windows }]b2+T8O |B1d 2013 j 1 B S151-1753-02  "b 9CKE"0d'VDz70,kHDAZ 337 3D=< B, :yw;BD#fE"# ^)fyw KD5|, IBM DyP(E"#|ZmI-iPa),R\f((D#$#>vfoP|,DE";|(TNNz7D #$,Ra)DNNod<;h*gKbM# zIZ_r(}1XD IBM zm&): IBM vfo# v *Z_):vfo,k*A IBM vfoPD,x7*:http://www.ibm.com/shop/publications/order v *iR1XD IBM zm&,k*A IBM +r*5K?<,x7*:http://www.ibm.com/planetwide/ *S@zrSCsD DB2 P!Mz[?): DB2 vfo,kBg 1-800-IBM-4YOU(426-4968)# z"ME"x IBM s,4Zh IBM G@<(^,IBM IT4|O*J1DNN==9CrV"zya)DNNE"x ^kTzP#NNpN# © Copyright IBM Corporation 2013. ?< XZ>i ..............vii Z 1 B DB2 2+T#M........1 O$ .................2 (^ .................2 20M9C DB2 }]b\mw1D2+T"bBn .3 5}M}]b?}\ LBAC #$D}] .........171 S}]P}% LBAC #$ .........174 Z 6 B +53?XF ..........192 32 ;M 64 ;2+e~D"bBn ......192 2+e~Jb7( ............192 tCe~ ...............193 ?pilwe~............193 ?p“C'j6/\k”e~ ........194 ?p GSS-API e~ ..........195 ?p Kerberos e~ ..........196 yZ LDAP DO$Mii/'V .......197 *O$Mii/dC8w LDAP (AIX) ....199 *O$Mii/dC8w LDAP (Linux)....202 *O$Mii/dC8w LDAP (HP-UX) . . . 203 *O$Mii/dC8w LDAP (Solaris) . . . 205 dC LDAP e~#i..........206 tC LDAP e~#i..........209 9C LDAP C'j6xP,S.......209 ii/D"bBn ...........210 TO$ LDAP C'rlwi1zzDJbxPJ OoO...............211 `42+e~ .............212 DB2 gN0k2+e~ .........212 TZ*"2+e~bD^F ........213 T2+e~D^F ...........215 2+e~D5Xk ...........216 kT2+e~Dms{"&m .......218 2+e~ API DwC3r ........219 Z 9 B 2+e~ API........223 ilwe~D API............224 db2secDoesGroupExist API - liiGqfZ . . 225 db2secFreeErrormsg API - MEms{"Zf . . 226 db2secFreeGroupListMemory API - MEiPmZ f ................226 db2secGetGroupsForUser API - q!C'DiPm 226 db2secGroupPluginInit API - u$ 240 db2secGetAuthIDs API - q!O$j6 ....241 db2secGetDefaultLoginContext API - q!1!G .......269 (E:exvZbms&mM5Xk .....270 (E:exvZb*"^F ........270 (E:exvZb API wC3r ......271 Z 11 B sFh)G<X53J''V........321 9C DB2ADMNS M DB2USERS iD)9 Windows 2+T ...........321 Windows 2008 M Windows Vista r|_f>D "bBn:C'CJXF&\?~......324 DB2 M UNIX 2+T ..........325 DB2 M Linux 2+T ..........325 |D\k'V(Linux) .........325 ?p|D\ke~(Linux)........326 =< A. DB2 SQL 4,oz ......331 CJ;,f>D DB2 E"PD .......332 |B20ZFczrZ?x~qwOD DB2 E"P D .................332 V/|B20ZFczrZ?x~qwOD DB2 E "PD................333 DB2 LL...............335 DB2 JOoOE"............335 E"PDunMu~ ...........336 =< B. yw ............337 w} ...............341 ?< v vi }]b2+T8O XZ>i >}]b2+T8OhvgN9C DB2® 2+T&\?~45VM\m20}]byX hD2+T6p# }]b2+T8Oa)TBZ]Dj8E": v \m\CJDB2 }]bDC'D(^ v hC(^TXFC'CJ}]bTsM}] © Copyright IBM Corp. 2013 vii viii }]b2+T8O Z 1 B DB2 2+T#M 2+TIC=V==4XFT DB2 }]b53}]M/}DCJ#T DB2 }]b5 3DCJI;Z DB2 }]b53b?D$_4\m(O$),x DB2 }]b53Z DCJI}]b\mw\m(Z()# O$ O$MG53i$C'm]D}L#C'O$GI DB2 }]b53b?D2+T$_ (}O$2+e~#i4jID#1z20 DB2 }]b531M|(K@5ZyZY w53DO$D1!O$2+e~#i#*=cp{,DB2 }]b\mw9a)KCZ Kerberos Ma?6?CC'IT4PD)}]bYw,CC'ITCJD)}]Ts# TBGICZZ(j6DmI(D;,44: 1. w*mI(:1SZhZ(j6DmI(# 2. (zmI(:ZhCZ(j6w*dI1DiMG+DmI(# 3. +CmI(:Zh PUBLIC DmI(# 4. OBDtPmI(:ZhIEOBDG+DG)mI(# IT4BP`p+(^ZhC': v 536p(^ 53\m1(SYSADM)"53XF(SYSCTRL)"53,$(SYSMAINT)M5 3`S(SYSMON)(^a)K;,LHDT5}6p/}DXF(#(^a); V=(4TX(ViMXF5}"}]bM}]bTsD,$M5CLrYw# v }]b6p(^ 2+T\m1 (SECADM)"}]b\m1 (DBADM)"CJXF (ACCESSCTRL)" }]CJ (DATAACCESS)"SQL \m1 (SQLADM)"$w:X\m\m1 (WLMADM) T05w(EXPLAIN)(^a)K}]bZDXF(#d{}]b(^ |( LOAD(\;+}]0k=mP)M CONNECT(\;,SA}]b)# v Ts6p(^ Ts6p(^f0TTs4PYw1liX(#}g,*SmPxP!q,C'M XkAYTCm_P SELECT X(# © Copyright IBM Corp. 2013 1 v yZZ]D(^ (}SX|nCJ>X}]# – 1~qwE5M'zO$19C6L,S# v +2+T$_I&XTC'j6M\kxPi$4w*m]$w,"Jm: – 9C6L,S,ZKivB~qwh*O$D$w# – 9CYw,ZKivBC'#{T3v;,ZG<1yCDj64KP|n# ":Z3) UNIX 53O,DB2 }]b\mwI+Yw53D'\\k"TN}Gk U>,"lbM'zN1,vJmDG<"TN},C5I LOGINRETRIES N}8(# (^ 9C DB2 $_44PZ(#DB2 mMdCD~CZG$# X(*Z({(e%vmI(,|9C'\;4(rCJ}]bJ4#X(f"Z} ]b?$G LBAC 2+jEM LBAC frb}(,|GJmCJ\yZjEDCJ XF (LBAC) #$D}]#LBAC >$f"Z}]b?}M G ssh#kND DB2RSHCMD "amd?D5,TKb6L shell dCD^F# Z20 DB2 }]b\mw.s,9Ii4M|D(g{h*)Q-ZhC'D1!X ( # 1 ! i v B , 2 0 } L Z ? V Y w 5 3 O y * T B C ' Z h 5 3 \ m (SYSADM)X(: Linux M UNIX Yw53 tZ5}yP_DwiDP' DB2 }]bC'{# Windows 73 v >X Administrators iDI1# v rXFwP Administrators iDI1(1 DB2 }]b\mwdC*Z(eC 'D;CO6Yb)C'Di1)#Z Windows Yw53O,9C DB2_GRP_LOOKUP 73d?4dCi6Y# v DB2ADMNS iDI1(1tCK Windows )92+T1)#DB2ADMNS iD;CZ20Zd7(# v LocalSystem J'# 4 }]b2+T8O (}|B}]b\mwdCN} sysadm_group,\m1ITXFIDvC'i5P SYSADM X(#zXkq-TB}r2G5}dCrd{D~,\m1&cTq!PX DB2 }]b\m53C4TC'j6M\k (9C SERVER_ENCRYPT O$1)r_C'j6"\kMC'}](9C DATA_ENCRYPT O$1)4PS\DS\}LDO$E":http://www.ibm.com/security/ standards/st_evaluations.shtml# ZT=IE,SOP;C' TZ CLI/ODBC M XA CLI/ODBC &CLr,Z&mh*O$DP;C'ks19C DO$zFknu("IE,S>m19CDzF`,#rK,TZT=IE,SO DP;C'ksyhDNNO$45,Z("CIE,S19CDNNd{-L2+ tT(}g,S\c("S\\?Me~{F)<`,#(}9C}]4tT,Java™ & CLrJmTP;C'ks|DO$=(# r*IT(eIEOBDTsTcZIE,SOP;C';h*O$,yT*KdV {CT=IE,SODP;C'&\,C'`4D2+e~Xk\;: v S\vC'j6jG v TCC'j65XP'D DB2 Z(j6 ":g{ CLIENT `MDO$P',G4;\("T=IE,S# a)DO$`M a)KBPO$`M: SERVER 8(Z~qwO(}TZCdCP'D2+TzF(}g,(}2+e~# i)xPO$#1!2+TzFG:g{Z"T,SZd8(KC'j6M\ k,G4a+|G"MA~qw"Z~qwO+|GkP'C'j6M\ki OHO,T7(GqJmCC'CJ5}# 6 }]b2+T8O ":~qwzklb;v,SG>X,S9G6L,S#TZ>X,S,1O $`MG SERVER 1,;hC'j6M\kMIO$I&# SERVER_ENCRYPT 8(~qwS\S\D SERVER O$=8#g{48(M'zO$,9CZ~ qwP!qD=(O$M'z#1C'j6M\k(}xgSM'z"MA~ qw1,|G&ZQS\4,# 1M'zk~qw.d-LzzDO$=(* SERVER_ENCRYPT 1,IT! q(}9C AES(_6S\j<)256 ;c(4TC'j6M\kxPS\# *K,khC}]b\mwdCN} alternate_auth_enc#KdCN}_PT B}nhC: v NOT_SPECIFIED(1!5)m>~qwS\M'z(iDS\c(,dP| ( AES 256 ;c(# v AES_CMP b6Eg{,SM'z(i9C DES +'V AES S\,G4~q wakT AES S\XB-L# v AES_ONLY b6E~qwvS\ AES S\#g{M'z;'V AES S\, G4,Sa;\x# v1M'zk~qw.d-LDO$=(* SERVER_ENCRYPT 1,E\9C AES S\# CLIENT 8(9CYw532+TZwC&CLryZD}]bVxO4PO$#ZM 'zZcO,+Z,SZdr"T,SZd8(DC'j6M\kkP'DC 'j6M\kDiOHO,T7(GqJmKC'j6CJC5}#;Z}] b~qwO4Pd{O$#bP1F*%cG<# g{C'4P>XGXM'z$w>6pCC '# g{6L5}_P CLIENT O$,G4m=vN}7(nUDO$`M: trust_allclnts M trust_clntauth# vCZIEM'zD CLIENT 62+T: IEDM'zG_PI?D">X2+T53DM'z# 1Q!qO$`M CLIENT 1,I!q;v=S!n4h9dYw7 3;PLP2+TDM'zCJ53# *h9;2+DM'zCJ53,\m1I+ trust_allclnts N}h C* NO 4!q“IEM'zO$”#bb6EyPIE=(z GqE5M'z#KN}D1!5G YES# ":ITE5yPM'z(trust_allclnts * YES),+dPD3) M'zIT;PCZO$D>z#\2+T53# uATZIEDM'z,z2I\#{Z~qwOjIO$#9C trust_clntauth dCN}48>TIEM'zxPi$D;C#KN} D1!5G CLIENT# Z 1 B DB2 2+T#M 7 ":vTZIEDM'z,g{ZT< CONNECT r ATTACH 1;P T=a)C'j6r\k,G4TC'Di$ZM'zOxP# trust_clntauth N}vCZ7(T USER r USING SdOa)DE "xPi$D;C# *K@9yPM'z(dP|( z/OS® M System i® OD JCC 4 ` M'z,+;|( z/OS"OS/390®"VM"VSE M System i OD>z DB2 M'z)xP4Z(DCJ,k+ trust_allclnts N}hC* DRDAONLY#;Pb)M'zIE5,E\4PM'KO$#yPd{ M'zXka)C'j6M\k,T)~qwO$# trust_clntauth N}CZ7(O$H0a=DM'zD;C:g{ trust_clntauth G CLIENT,G4ZM'zOxPO$#g{ trust_clntauth G SERVER,G44a)C'j6M\k1ZM'zO xPO$,a)KC'j6M\k1Z~qwOxPO$# m 1. 9C TRUST_ALLCLNTS M TRUST_CLNTAUTH N}iODO$==# trust_ allclnts trust_ clntauth ;IEG DRDA® M 'zO$ (;PC' j6M\ k) ;IEG DRDA M' zO$(_ PC'j6 M\k) IEG DRDA M' zO$(; PC'j6 M\k) IEG DRDA M' zO$(_ PC'j6 M\k) DRDA M' zO$(; PC'j6 M\k) DRDA M' zO$(_ PC'j6 M\k) YES CLIENT CLIENT CLIENT CLIENT CLIENT CLIENT CLIENT YES SERVER CLIENT SERVER CLIENT SERVER CLIENT SERVER NO CLIENT SERVER SERVER CLIENT CLIENT CLIENT CLIENT NO SERVER SERVER SERVER CLIENT SERVER CLIENT SERVER DRDAONLY CLIENT SERVER SERVER SERVER SERVER CLIENT CLIENT DRDAONLY SERVER SERVER SERVER SERVER SERVER CLIENT SERVER DATA_ENCRYPT ~qwS\S\D SERVER O$=8MC'}]DS\#CO$k SERVER_ENCRYPT y>D$w==`,#1C'j6M\k(}xgSM' z"MA~qw1,|G&ZQS\4,# 9CKO$`M1,S\TBC'}]: v SQL M XQuery od# v SQL Lrd?}]# v S&m SQL r XQuery odM|(}]hvD~qwPdvD}]# v Si/qCD3)ryPp8/}]# v sTs (LOB) }]w/# v SQLDA hv{# DATA_ENCRYPT_CMP ~qwS\S\D SERVER O$=8MC'}]DS\#mb,KO$`MJ mk;'V DATA_ENCRYPT O$`MDBcz7f]#b)z7Jm9C SERVER_ENCRYPT O$`M4xP,S,"R;TC'}]xPS\#'V BO$`MDz7Xk9CCO$`M#KO$`MvZ~qwD}]b\m wdCD~PP',xZ CATALOG DATABASE |nO9CCO$`M^'# 8 }]b2+T8O KERBEROS 1 DB2 M'zM~qwy;Z'V Kerberos 2+-iDYw53O1,9C Kn#(}9C+3\ku44(2m\?,Kerberos 2+T-iw*Z}= O$~q4PO$#K\?I*C'D>$,ZyPks>Xrxg~qD! OP,<9C|4i$C'Dm]#K\?{}K+C'{M\kTwDD= =(}xg+Mb;h*#(}9C Kerberos 2+-i,z\;T6L DB2 }]b~qw9C%cG<&\#KERBEROS O$`MZwVYw53O\' V,kND`XE"?VTKb|`E"# Kerberos O$$w-mgBy>: 1. C'TrXFwOD Kerberos \?V"PD (KDC) 9CrJ'O$G%D>% (TGT) "MAM'z# 2. Z,SDZ;WN,~qw+?jwe{F"MAM'z,Cwe{FG DB2 }]b~qw~qD~qJ'{#(}9C~qwD?jwe{FMZ h?jD>$,M'zrZh>$D~q (TGS) ks~q>%,C>$2Z rXFwP#g{M'zDZh>%D>%M~qwD?jwe{F

%#G%"MA~q w# 4. ~qwi$M'zD~q>%#g{M'zD~q>%P',G4O$j I# I\aTM'zOD}]bxP`?,"T~qwD?jwe{FT=8( Kerberos O$`M#9CK=(,IvT,SDZ;vWN# g{8(KC'j6M\k,G4M'z+ksCC'J'DZh>%D>% "+dCZO$# KRB_SERVER_ENCRYPT 8(~qwS\ KERBEROS O$rS\D SERVER O$=8#g{M'z O$`MG KERBEROS,G49C Kerberos 2+T53O$M'z#g{M 'zO$`MG SERVER_ENCRYPT,G49CC'j6MS\\kO$M' z#g{48(M'zO$`M,gPI\,M'z+9C Kerberos,qr| +9C\kS\#TZd{M'zO$`M,+5X;vO$ms#;\+M 'zDO$`M8(* KRB_SERVER_ENCRYPT# ":Kerberos O$`MZX(Yw53OKPDM'zM~qwO\'V,k ND`XE"?VTKb|`E"#TZ Windows Yw53,M'zM~qw DNN Kerberos e~5XAM'z#M'zSPmP!qZM'ze~ ?mDCJ\=dCD~PE"D#$,yTZ|DO$E"1, ;*^bP+T:x(Z5}.b#BP}]b\mwdCD~N}XFT5}D CJ: v authentication * v sysadm_group * v trust_allclnts v trust_clntauth v sysctrl_group v sysmaint_group * 8>=vnX*DN}# ITI!;)k)47#bViv;a"z:g{bb+T:x(Z DB2 }]b5 3.b,yP=(OXYw532+TC',Xh(#D DB2 }]b2+Tli4|B}]b\mw dCD~#KC'X|B#; \T6L==rTNNd{ DB2 }]b|n9CJO#UC'#KXbC';j6 *: v UNIX =(:5}yP_ v Windows =(:tZ>X :Administrators; iDK1 v d{=(:IZZd{=(O;P>X2+T,rKyPC'^[gN<*(} >X2+Tli 6LM'zDO$"bBn 1T}]b`?TcxP6LCJ1,IZ}]b?DZ;VO$`M 4,SA~qw#Z48(O$`M1,9C LIST DATABASE DIRECTORY |ny P>D}]b?<+;aT>O$`M#g{Z}]b?# v ~qw* V8 FP7 r|_f># Zb)ivB,M'z^(,SA~qw#*JmxP,S,Xk+M'z}6= V8 r|_f>,r_9xX6p* V8 FP6 r|Mf># (}8(J1DO$`Mw*xX&D}]b?”AJ1DVx#ZK=8P,+;9CZxX&`?DO$`M,b Gr*;ZM'zk~qw.dxP-L# g{h*_P9C;,O$`MDM'z,G4I\h*9C;,DO$`MZxX &T`v}]bp{xP`?#v(K*ZxX&`?DO$`M1,IT9O$` MkZM'zM~qwP9CDO$`M`,;r_,IT9C NOTSPEC O$`M, +h*Kb NOTSPEC 1!* SERVER# Vx}]bO$"bBn Z;vVx}]bP,Xk*}]bD?vVx(e,;iC'Mi#g{b)(e ;`,,G4C'2mG;Z(Z;,DVxOv;,DBi# (iyPVx#V;B# Kerberos O$ Kerberos GZ}=xgO$-i,|9C2m\?53,Z;2+Dxg73P2+X O$C'#DB2 }]b53a)T AIX®"HP-UX"Solaris"Linux IA32 M AMD64 0 Windows Yw53OD Kerberos O$-iD'V# ri Kerberos O$I|,}cD53\m,ZC53P,&CLr~qwkM'z.d;; DGS\~q>%(x;GwDC'j6M\kT)#b)S\~q>%F*>$, IF* Kerberos \?V"PD (KDC) D%@~qwa)#>$DzfZP^,"R; PM'zM~qwE\6p>$#b)&\IuY2+gU,49>%ZxgO;9 Z 1 B DB2 2+T#M 11 X2GgK#?vC'(Z Kerberos uoPF*we)5Pk KDC 2mD(CS\ \?#\D45,r KDC "aDweMFczF*r# Kerberos D;vX|XwG|a)%cG<73;C';hi$;Nm]4ICJ Kerberos rPDJ4#K%cG<73b6EC'I,SA DB2 }]b~qwx;a )C'j6r\k#m;vEcGr/KC'j6D\m,r* Kerberos 9CPkf" b4f"we#ns,Kerberos 'V`%O$,`%O$JmM'zi$~qwDj 6# hC XkHZyPFczO20"dC Kerberos c,E\+ Kerberos k DB2 }]b53 dO9C#TZdMdC,Xk{OTBhs: v 4(J1we# v 7#M'zM~qwFcz0wetZ,;vrr`vIEr#Z Windows uoP, IEr (Trusted realm) F*IEr (trusted domain)# v J114(~qw\?mD~# v 9yPFczOD1S,=#Kerberos (#Jm 5 VSD1d+n;g{1d+n ,} 5 VS,G4"Tq!>$1a"za0O$ms# * DB2 ~qwhC Kerberos XkHZyPFczO20"dC Kerberos c,E\+ Kerberos O$k DB2 }]b 53dO9C#TZdMdC,Xkq-K3fOD8>E"# *<.0 g{}Z9C Linux"Sun Solaris r HP-UX Yw53,k7#53O420 krb5 b TbD Kerberos b#qr,Kerberos O$a'\,"RaZ db2diag U>D~PG< ;u{"# g{}Z9C Linux r Sun Solaris Yw53,k6X IBM® Network Authentication Service (NAS) Toolkit DNN5},"S PATH 53d?P}%T NAS 2076;C DNN}C# XZKNq DB2 }]bGq9C Kerberos O$!vZGq9C,S&CLrya)D>$I&4 (K2+T>$#xR,;*IC,Kerberos `%O$M\'V,K1M'zM~qw Xk,1$wdm]E\9C Kerberos#;x,d{ Kerberos &\(g{"){rS \)+;IC# PXZ53O20MdC Kerberos z7Dd{j8E",kND http://www.ibm.com/ developerworks/data/library/techarticle/dm-0603see/index.html rf Kerberos z7a)DD 5# DB2 }]b53D Kerberos 'VG(} IBMkrb5 GSS-API 2+e~a)D#Ke~ CZ~qwO$MM'zO$#e~bGZTB;C20 DB2 Zd20D# v Z UNIX M Linux 32 ;Yw53O:sqllib/security32/plugin/IBM/client M sqllib/security32/plugin/IBM/server ?< 12 }]b2+T8O v Z UNIX M Linux 64 ;Yw53O:sqllib/security64/plugin/IBM/client M sqllib/security64/plugin/IBM/server ?< v Z Windows Yw53O:sqllib\security\plugin\IBM\client M sqllib\security\ plugin\IBM\server ?< sqllib/samples/security/plugins ?XYw534q! kerberos w eDiPm#TZ UNIX M Linux Yw53,K@5h*?vweDH[53J'# }g,TZwe name@REALM,DB2 }]bz7(}i/>XYw53Tq!Yw5 3C' name ytD+?i{4U/iE"#g{Yw53C' name ;fZ,G4 AUTHID vtZ PUBLIC i# Z Windows Yw53O,rJ'k Kerberos weT/X*#^h4Pd{=h44( %@DYw53J'# Kerberos \?mD~ *S\2+OBDks,UNIX r Linux Yw53OD?v Kerberos ~qXk+d> $ECZ\?mD~P#KhsJCZ DB2 }]b5}Cw~qwweDG)we# 53vZ1!\?mD~PQw~qw\?#PXr\?mD~mS\?D8>E ",kNDf Kerberos z7a)DD5# Windows Yw53O;P\?mD~DEn;53aT/f"Mq!weD>$# I9C KRB5_KTNAME 73d?48(1!\?mD~{#+G,r*C~qwe~Z DB2 }]b}fxLZKP,yTK73d?I\;ICJ#*K\bbViv,k9 C db2set |n+ KRB5_KTNAME 73d?mSA DB2ENVLIST "amd?: db2set DB2ENVLIST=KRB5_KTNAME r* Kerberos 4T Windows 9C\?mD~,yTK!nvT Linux r UNIX ~q wIC# }L ** DB2 ~qwhC Kerberos,k4PTBYw: 1. (}4PBPdP;v=h420 Kerberos: v TZ AIX Yw53,kZ AIX O* DB2 20 NAS (Network Authentication Ser- vices) Toolkit V1.4 r|_f>#IS https://www.ibm.com/services/forms/ preLogin.do?source=dm-nas BX NAS Lr|# v TZ Linux M HP-UX(v 64 ;)Yw53,k20Yw5320iJO|(D Kerberos Lr| krb5# v TZ Sun Solaris Yw53,Kerberos ~q|,Z Solaris R10 P#;h*d{ 20# v TZ Windows Yw53,kZrXFwOtC Active Directory# 2. + DB2 z7dC*9C Kerberos e~#kNDZ 196 3D:?p Kerberos e ~;# Z 1 B DB2 2+T#M 13 3. XBt/ DB2 ~qw# Kerberos D|{M3d XkH7#M'zM~qwFczMwetZ,;vrr`vIEr,E\+ Kerberos k DB2 }]b53dO9C# M'zwe NNITSU Kerberos >%xPO$D(;j6 Kerberos O $;ICZ4kr`X*D Windows Yw53#xR,Windows Yw53v'V9C I=v?ViIDq=4(ewem],4,name@domain# Z(j63d kfZ6'(#^Z%(FczDYw53C'j6;,,Kerberos weITZ}|G T:Dr.bDrPqCO$#(}9Cr{4j+^(we{FT\bvVX4D we{FbyD1ZJb#Z Kerberos P,jE",kNDJ1D Windows D5# (}+ DB2_KRB5_PRINCIPAL 73d?hC*j<~qwwe{F,I2G DB2 ~q wZ UNIX M Linux Yw53O9CD Kerberos ~qwwe{F#v1"v db2start |nTXBt/5}s,DB2 }]b53E6pf;~qwwe{F# tC Kerberos O$ XkHtC Kerberos O$,E\+ Kerberos k DB2 }]b53dO9C# ZM'zOtC Kerberos O$ *ZM'zOtC Kerberos O$,k+ clnt_krb_plugin }]b\mwdCN}hC *z*9CD Kerberos e~D{F# T Z > X Z ( , g { authentication d C N } h C * KERBEROS r KRB_SERVER_ENCRYPT,G4M'z+9C Kerberos#qr,;aa)M'K Kerberos ' V# *c:;a4PNNliTi$ Kerberos 'VGqIC# `?}]b1,*Tk DB2 ~qwDv>,StC Kerberos O$,&D*+ Kerberos 8(*O$`M,gTB>}y>: CATALOG DATABASE testdb AT NODE testnode AUTHENTICATION KERBEROS TARGET PRINCIPAL service/host@REALM +G,g{4a)O$E",G4~qwarM'z"M~qwweD{F# Z~qwOtC Kerberos O$ *Z~qwOtC Kerberos O$,kZzT~qwOD srvcon_gssplugin_list }] b\mwdCN}8(De~PmP|(X( Kerberos e~{F#+C Kerberos e~ {F|(ZKPmPJmM'z(h~qw"ZxP,S1!q Kerberos O$=(# g{KdCN}t*U"Rz+ authentication dCN}hC* KERBEROS r KRB_SERVER_ENCRYPT,G453DC1! Kerberos e~ IBMkrb5#;\8(;v Kerberos e~# Z 1 B DB2 2+T#M 15 ns,*vTkV,SO$9C Kerberos,k+ svrcon_auth N}hC*BP=v! nDdP;v: v KERBEROS Tv9C Kerberos O$;r v KRB_SERVER_ENCRYPT T9C Kerberos M SERVER_ENCRYPT O$# g{*TkV,SM>XZ(9C Kerberos,k+ svrcon_auth dCN}t*U"+ authentication dCN}D5hC*dP;v Kerberos !n# 4( Kerberos e~ *Z DB2 }]b53O(F Kerberos O$DP*,I*"zT:D Kerberos O$e ~# 4( Kerberos e~1r db2diag U>D~<|,G<'\rG<; \x{"# v g{rJ'{2GZ>X(eD,G4T=8(r{M\kD,S+'\,"Rv VBPms:^(k>X2+z9*5#CmsGIZ Windows Yw53HiR> X C ' l I D # b v = 8 G Z , S V { . P T C ' x P j + ^ ( , } g , name@DOMAIN.IBM.COM# v Windows J'D{FP;\|( at V{ (@),r* DB2 Kerberos e~Y(CV{ Gr{Vt{# 16 }]b2+T8O v g{M'zM~qw(M|_)D"Pf8(B\k: AIX M Windows Yw53OD DB2 Universal Database™ V8"Linux Yw53OD DB2 V9.1 FP3 r|_f>"DB2 for z/OS V7 M DB2 for i V6R1# }g,g{SU=ms{" SQL1404N“\k}Z”r SQL30082N“2+&m'\,-r * 1(\k}Z)”,G49C CONNECT od44gBy>|D\k: CONNECT TO database USER userid USING password NEW new_password CONFIRM new_password (^"X(MTsyP( v1C'(IZ(j6j6)_P4P8(/}D(^1,{GE\I&4PYw# *4(m,XkZ(C'4(m;*Ddm,XkZ(C'Ddm;HH# }]b\mw*sT?vC'XpZ(,T9C4PX(NqyhD?v}]b/ }#C'ITq!Xh(^D==gB:(}TdC'j6ZhC(^,rhz5P C(^DG+riDI1Jq# fZ}VN=D(^:\m(^"X(M LBAC >$#Kb,TsDyP(axx|T y4(TsD3VLHD(^#B;ZPV[Kb)N=D(^# \m(^ 5P\m(^DK\mXF}]b\mwDNq":p}]D2+TMj{T# 536p(^ 536p(^a)K;,LHDT5}6p/}DXF(: v SYSADM(53\m1)(^ SYSADM(53\m1)(^a)KT}]b\mwy4(M,$D+? J4DXF(#53\m15PBP+?(^:SYSCTRL"SYSMAINT M SYSMON (^#_P SYSADM (^DC':pXF}]b\mw"7#} ]D2+Mj{T# v SYSCTRL (^ Z 1 B DB2 2+T#M 17 SYSCTRL (^a)KT0l53J4DYwDXF(#}g,_P SYSCTRL (^DC'IT4("|B"t/"#9r>}}]b#KC'9 ITt/r#95},+;\CJm}]#_P SYSCTRL (^DC'9_ P SYSMON (^# v SYSMAINT (^ SYSMAINT (^a)ZyPk5}X*D}]bO4P,$YwyhD( ^#_P SYSMAINT (^DC'IT|B}]bdC"8]}]brmU d"4-VP}]b"`S}]b#`FZ SYSCTRL,SYSMAINT ;a) Tm}]DCJ#_P SYSMAINT (^DC'2_P SYSMON (^# v SYSMON(53`S)(^ SYSMON(53`S)(^a)9C}]b53`SwyhD(^# }]b6p(^ }]b6p(^a)K}]bZDXF(: v DBADM(}]b\m1) DBADM (^6pa)T%v}]bD\m(^#K}]b\m15P4( TsM"v}]b|nyhDX(# DBADM (^;\I_P SECADM (^DC'Zh#;\+ DBADM ( ^Zh PUBLIC# v SECADM(2+T\m1) SECADM (^6pkT2+Ta)T%v}]bD\m(^#2+T\m1 (^\;\m}]b2+TTs(}]bG+"sF_T"IEOBD"2 +jEi~M2+jE)T0ZhM7zyP}]bX(M(^#_P SECADM (^DC'IT*F;tZ{GDTsDyP(#{GIT9C AUDIT od+sF_Tk~qwPDX(}]br}]bTsX*# SECADM (^;PCJf"ZmPD}]DLPX(#|;\I_P SECADM (^DC'Zh#;\+ SECADM (^Zh PUBLIC# v SQLADM(SQL \m1) SQLADM (^6pa)Z%v}]bZ`SMw{ SQL odD\m(^# |II_P ACCESSCTRL r SECADM (^DC'Zh# v WLMADM($w:X\m\m1) WLMADM (^a)\m$w:X\mTs(g~q`"$wYw/"$w `/T0$w:X)D\m(^#|II_P ACCESSCTRL r SECADM (^DC'Zh# v EXPLAIN(5w(^) EXPLAIN (^6pa)Z;PqC}]CJ(DivB5wi/=8D\m (^#|;\I_P ACCESSCTRL r SECADM (^DC'Zh# v ACCESSCTRL(CJXF(^) 18 }]b2+T8O ACCESSCTRL (^6pa)"vTB GRANT(M REVOKE)odD\m (^# – GRANT(}]b(^) ACCESSCTRL ( ^ ; a 9 5P_ \ ; Z h ACCESSCTRL"DATAACCESS"DBADM r SECADM (^#;P_P SECADM (^DC'E\Zhb)(^# – GRANT(+Vd?X() – GRANT(w}X() – GRANT(#iX() – GRANT(Lr|X() – GRANT(}LX() – GRANT(#=X() – GRANT(rPX() – GRANT(~qwX() – GRANT(m"SC'riD(^{(^MX(R;P9CC(^{4(DC'r i1,Xk!D#Ts,IT9CC(^{4(;vC'ri,"RCC'riT/ SUkC(^{X*DyP(^MX(# REVOKE odCZ7zH0ZhDX(#7z(^{DX(a7zyP(^{ZhDX (# 7z(^{FDX(;a7zNNd{(^{FD`,X(,KX(IC(^{FZ h#}g,Y( CLAIRE + SELECT WITH GRANT OPTION Zh RICK,;s RICK + SELECT Zh BOBBY M CHRIS#g{ CLAIRE 7z RICK D SELECT X(, G4 BOBBY M CHRIS T#t SELECT X(# 20 }]b2+T8O LBAC >$ yZj)DCJXF (LBAC) 92+T\m1\;<7X7(TZwPwP_P4CJ (DC'M_PACJ(DC'#2+T\m1(}4(2+_T4dC LBAC 53# 2+_ThvDGC47(D)C'\;CJD)}]Du~#TZNN;vm,; \9C;v2+_T4#$|,+;,DmITI;,D2+_T#$# 4(2+_T.s,2+T\m1+4(F*2+jEMb}(D}]bTs,b) TsG2+_TDiI?V#2+jEhv;i2+u~#b}(q-;vfr, 4,Z5Pb}(DC'CJ\2+_T#$D}]1,;h*?FTCC'HO2 +jE# ;)4(2+jE,MIT9dkwvmPMmP`X*T#$fEZG);CPD }]#\2+jE#$D}]F*\#$}]#2+T\m1(}+2+jEZhC '4JmCC'CJ\#$}]#1C'"TCJ\#$}]1,CC'D2+jE +kCZ#$C}]D2+jExPHO#CZxP#$DjE+h{;?V2+j E# TsyP( 4(;vTs1,I+CTsDyP(Vdx;vZ(j6#yP(G8C'P(Z NNJCD SQL r XQuery odP}CKTs# Z#=Z4(Ts1,KodDZ(j6Xk_PZ~=rT=8(#=P4(Ts yhDX(#4,(^{FXkG#=DyP_rT#=5P CREATEIN X(# ":4(mUd":eXr}]bVxi1,K*s;JC#b)Ts"GZ#=P 4(# 4(Ts1,odDZ(j6GKTsD(e_;1!ivB,Z4(KTs.s, odDZ(j6GKTsDyP_# ":}bivG:g{T CREATE SCHEMA od8( AUTHORIZATION !n,G 4w* CREATE SCHEMA Yw?V4(Dd{NNTsI AUTHORIZATION !n 8(DZ(j6yP#+G,u< CREATE SCHEMA YwsZ#=P4(DNNTs IkX( CREATE odX*DZ(j65P# }g,od CREATE SCHEMA SCOTTSTUFF AUTHORIZATION SCOTT CREATE TABLE T1 (C1 INT) 4(#= SCOTTSTUFF Mm SCOTTSTUFF.T1,b=_yt SCOTT yP#YhC ' BOBBY T SCOTTSTUFF #=5P CREATEIN X(,"Z SCOTTSTUFF.T1 mO4 (w}#r*w}Z#=.s4(,rK BOBBY Z SCOTTSTUFF.T1 O5Pw}# y]*4(DTs`MrTsyP_VdX(: v TB4(Dm"w}MLr|~=Zh CONTROL X(#KX(JmTs4(Lr CJ}]bTs,"ZhM7zd{C'TKTsDX(#g{d{C'h*TC TsD CONTROL X(,G4_P ACCESSCTRL r SECADM (^DC'XkZ hTCTsD CONTROL X(#TsyP_^(7z CONTROL X(# v g{TsyP_TS<(e}CDyPm"S}Ts,r*Tsm S"M#b)(^TZTsyP_G~=DR;\7z# yP_ITZhTTsD3)X((}g,Ddm),"R_P ACCESSCTRL r SECADM (^DC'IT7zyP_TTsDb)X(#yP_;\ZhTTsD3) X((}g,"Mm),"R;\7zyP_TTsDb)X(#9C TRANSFER OWNERSHIP od+b)X(*Fxm;vC'#4(Ts1,odDZ(j6GKT sD(e_;1!ivB,Z4(KTs.s,odDZ(j6GKTsDyP_# +G,19C BIND |n44(Lr|"8( OWNER authorization id !n1,ILr |P2, SQL od4(DTsDyP_G authorization id D5#Kb,g{Z CRE- ATE SCHEMA odP8(K AUTHORIZATION Sd,G4Z AUTHORIZATION X |Vsf8(D(^{G#=DyP_# 2+T\m1rTsyP_IT9C TRANSFER OWNERSHIP od4|D}]bTs DyP(#rK,\m1I*Z(j64(;vTs,=(G+Z(j6Cw^(J 44(Ts,;s9C TRANSFER OWNERSHIP od+\m1TCTsDyP(*F xZ(j6# (^Ev Z5}6pM}]b6pOfZwV\m(^#b)\m(^Vi*3)X(M( ^,Tcz\;+|GZhZ}]b20}LP:pb)NqDC'# 5}6p(^ 5}6p(^9z\;4P5}6'D/},}g,4(M}6}]b"\mmUd T0`S5}ODn/MT\#NN5}6p(^<;a)T}]bmP}]DCJ (#B}M|B}]T0\m$w:X#B?( ),ABCDE 、 、 9 F GH9IJ345K/ LM9 SYSMAINT - - - - - - - - - RUNSTATS NO 345  PQR S, TUVW  TX345YZ[\]^ _`ab "#cdm;aa)T}]D CJ() BKJ11D)O_6p(^|(OM6p(^a)D&\#}g,_P DBADM (^DC'IT4P_P SQLADM M EXPLAIN (^DC'D/}T0_ P WLMADM (^DC'DyP/}(ZhT$w:XD USAGE X(}b)# DATAACCESS - - - TRANSFER OWNERSHIP - EXECUTE - EXECUTE - AUDIT - SELECT - CONNECT $%、129&'yz{|}rs|\~`( GH9IJtK/9/0 € |‚ƒ"#D„W… K/ |‚ƒ"#D„W…GH K/ € |"#39d† K/ /0 SECADM - SELECT - SQLADM WLMADM EXPLAIN BINDADD CONNECT CREATETAB00 CREATE_EXTERNAL_ROUTINE CREATE_NOT_FENCED_ROUTINE IMPLICIT_SCHEMA LOAD QUIESCE_CONNECT - XSR |"#39d† K/ GH9IJ 、 、 、 、 、、 、 、、 9 GH9IJ|z‡2ˆ、‰Š、‹Œ、…A、W… ('"#D„‚ƒW…)、Ž 、、<、3、345、d† 9 |}tK/ ACCESSCTRL - LOAD - MQT SELECT INSERT UPDATE DELETE - SELECT - EXECUTE - EXECUTE /0 |t3、d†、 9‹Œ 、 、 9K/ |"#39d† K/ |tW…('"#D„‚ƒW…) K/ |t…A K/ DBADM - - - - - - -/ - RUNSTATS $%、129&'‘yz{ |} ’“ijno $%、”•9&'–ocd< Z[345]^ ijklmno TX345 gF‰Š 3 6 - BINDADD - CONNECT - CREATETAB - CREATE_EXTERNAL_ROUTINE - CREATE_NOT_FENCED_ROUTINE - IMPLICIT_SCHEMA - LOAD - QUIESCE_CONNECT /0 /0 /0 /0 /0 /0 /0 /0 SQLADM - CREATE EVENT MONITOR - DROP EVENT MONITOR - FLUSH EVENT MONITOR - SET EVENT MONITOR STATE - FLUSH OPT. PROFILE CACHE - FLUSH PACKAGE CACHE - PREPARE - REORG INDEXES/TABLES - RUNSTATS - EXECUTE - SELECT - EXPLAIN - ALTER SERVICE CLASS ALTER THRESHOLD ALTER WORK ACTION SET ALTER WORKLOAD |t"#D„W…('‚ƒW…) K/ |"#39d† K/ 、 、 9 ™š› WLMADM - - - EXECUTE $%、129&'œžŸ:;< |}rs|\~`( GH9IJœžŸK/ |"#D„œžŸ:;W… K/ |œžŸGH K/USAGE EXPLAIN - EXPLAIN - PREPARE - EXECUTE € € |"#D„ ¡W… K/ < 2. }]b6p(^ 24 }]b2+T8O 5}6p(^ 53\m(^(SYSADM) SYSADM (^6pG5}6pOn_6pD\m(^#_P SYSADM (^DC'I TZ5}ZKP;)5CLrT0"v;)}]bM}]b\mw|n# T sysadm_group dCN}8(Di8( SYSADM (^#(}=(O9CD2+T$ _4S}]b\mwb?XFCiDI1Jq# ;P_P SYSADM (^DC'EIT4PBP&\: v }6}]b v 4-}]b v |D}]b\mwdCD~(dP|(8(_P SYSADM"SYSCTRL"SYSMAINT r SYSMON (^Di) _P SYSADM (^DC'ITZhM7zmUdX(,9IT9CNNmUd# ":1_P SYSADM (^DC'4(}]b1,aT/ZhCC'TC}]bD ACCESSCTRL"DATAACCESS"DBADM M SECADM (^#g{*@9CC'T} ]b\m1r2+T\m1m]CJC}]b,G4XkT=X7zCC'Db)} ]b(^# Z V9.7 .0D"PfP,SYSADM (^|(K~= DBADM (^"R9a)KZh M7zyP(^MX(D&\#Z V9.7 P,DB2 Z(#MQ|B*w7XxV53\ m1"}]b\m1M2+T\m1D0p#w*Kv?D;?V,I SYSADM (^ a)D&\QuY# Z V9.7 P,v SECADM (^a)ZhM7zyP(^MX(D&\# *KC5P SYSADM (^DC'q! V9.5 PD&\(}KZh SECADM (^D& \),2+T\m1XkT=ZhCC' DBADM (^"RZhCC'BD DATAACCESS M ACCESSCTRL (^#IT(}+ GRANT DBADM ON DATA- BASE odkCodD1!!n WITH DATAACCESS M WITH ACCESSCTRL dO 9C4Zhb)B(^#DATAACCESS (^GJmTX(}]bPD}]xPCJD (^,x ACCESSCTRL (^GJmC'ZX(}]bPZhM7zX(T0G\m( ^D(^# PX Windows LocalSystem J'D"bBn Z Windows 53O,148(}]b\mwdCN} sysadm_group 1,LocalSystem J';O*G53\m1(5P SYSADM (^)#Z V9.7 P,SYSADM (^wC rPD|Da0lI LocalSystem KPDNN DB2 &CLr#b)&CLr(#GT Windows ~qN=`4D,"R9Cw*~qG};v}]b v >}"4(rDd;vmUd v 9CNNmUd v 4-=VPrBD}]b# mb,_P SYSCTRL (^DC'IT4P_P53,$(^ (SYSMAINT) M53` S(^ (SYSMON) DC'D/}# _P SYSCTRL (^DC'2Pk;v}]b,SD~=X(# ":1_P SYSCTRL (^DC'4(}]b1,aT/Zh{GT}]bDT= ACCESSCTRL"DATAACCESS"DBADM M SECADM (^#g{S SYSCTRL i P}%K}]b4(_,xR9*@9dT\m1m]CJC}]b,G4XkT= 7zH0a=DDn\m(^# 53,$(^(SYSMAINT) SYSMAINT (^GZ~6pD53XF(^#K(^a)T}]b\mw5}0d}] b4P,$M5CLrYwD&\#b)YwIT0l53J4,+G|G";Jm T}]bP}]D1SCJ# 53,$(^G*3)C'hFD,b)C',$|,tP}]D}]b\mw5} PD}]b# T sysmaint_group dCN}8(Di8( SYSMAINT (^#g{8(K;vi,G 4(}=(O9CD2+T$_S}]b\mwb?XFCiDI1Jq# ;P_P SYSMAINT r|_53(^DC'EIT4PBPYw: v 8]}]brmUd v 4-*VPD}]b v 4P0vV4 v t/r#95} v 4-mUd v 9C db2trc |n4KPzY v zI}]b\mw5}rd}]bD}]b53`SwlU# 26 }]b2+T8O _P SYSMAINT (^DC'IT4PBPYw: v i/mUdD4, v |BU>z7G}$w:X\mwTs"ZhM7z$w:X\mwX(T04P$w: X\mw}L# ;P_P SECADM (^DZ(j6E\Zh ACCESSCTRL"DATAACCESS"DBADM M SECADM (^#yPd{(^}: – sF_T – 2+jEi~ – 2+_T – IEOBD v 4(""MM>}: – G+ – 2+jE v ZhM7z}]bX(M(^ v 4PBPsF}LT4P8(DNq: – SYSPROC.AUDIT_ARCHIVE f"}LMm/}TsFU>xPi5# – SYSPROC.AUDIT_LIST_LOGS m/}JmziRX"DU># – SYSPROC.AUDIT_DELIM_EXTRACT f"}L+}]i!=(gD~P,Tcx PVv# Z 1 B DB2 2+T#M 29 2+T\m1ITZhr7zTb)}LD EXECUTE X(,SxZh*192+T \m1\;/Ib)Nq#;P2+T\m1E\ZhTb)}LD EXECUTE X (#TZb)}L,;\Zh EXECUTE X( WITH GRANT OPTION (SQLSTATE 42501)# v 9C AUDIT od+sF_Tk~qwPDX(}]br}]bTsX* v 9C TRANSFER OWNERSHIP od4+dCodDZ(j645PDTs ;Pd{(^a)b)&\# ;P2+T\m1E\+ ACCESSCTRL"DATAACCESS"DBADM M SECADM ( ^Zhd{C'"irG+# Z V9.7 P,DB2 Z(#MQ|B*w7XxV53\m1"}]b\m1M2+T\ m1D0p#w*Kv?D;?V,I SECADM (^a)D&\Q)9#Z V9.7 . 0D"PfP,SECADM (^4a)ZhM7zyP(^MX(D&\#"R, SECADM (^;\ZhC',x;\ZhG+ri#Kb,TZsFZC}LMm/ },SECADM (^4a)+ EXECUTE X(Zhd{C'D&\# }]b\m(^ (DBADM) DBADM (^GTX(}]bD\m(^#}]b\m15P4(TsM"v}]b| nyhDX(#Kb,_P DBADM (^DC'9T53?}k2+T;`XD}]bTs v A!U>D~ v 4("$nM>}B~`Sw v i/mUdD4, v |BU>z7G}M"M$w:X\mwTsT0ZhM7zTdDCJ(# WLMADM (^II2+T\m1(5P SECADM (^)r_P ACCESSCTRL ( ^DC'Zh#IT+ WLMADM (^ZhC'"i"G+r PUBLIC#WLMADM ( ^9C'\;4PBPYw: v 4("Dd""MM>}BP$w:X\mwTs: – 1=<#e – ~q` – P5 – $wYw/ – $w`/ – $w:X v ZhM7z$w:XX( v 4PZC$w:X\m}L# WLMADM (^|,Z}]b\m1(^ DBADM P# 5w\m(^(EXPLAIN) EXPLAIN (^GZ;PqCX(}]b}]DCJ(Div5wi/=8yhD(^# K(^|,Z}]b\m1(^P,;PCJf"ZmPD}]DLPX(# 34 }]b2+T8O EXPLAIN (^II2+T\m1(5P SECADM (^)r_P ACCESSCTRL (^ DC'Zh#IT+ EXPLAIN (^ZhC'"i"G+r PUBLIC#C(^9z\; 4PBP SQL od: v EXPLAIN v PREPARE v DESCRIBE(TZ SELECT odr XQuery odDdv) EXPLAIN (^9a)TZC5w}LD EXECUTE X(# EXPLAIN (^|,Z SQLADM (^P# LOAD (^ Z}]b6p_P LOAD (^T0Tm_P INSERT X(DC'IT9C LOAD |n +}]0k=mP# ":_P DATAACCESS (^DC'T LOAD |n_Pj+CJ(# g{H0D0kYwGC40kek}]DYw,G4Z}]b6p_P LOAD (^ RTm_P INSERT X(DC'IT4P LOAD RESTART r LOAD TERMINATE Yw# Z}]b6p_P LOAD (^,1Tm_P INSERT M DELETE X(DC'IT9 C LOAD REPLACE |n# g{H0D0kYwG0kf;,G49XkTCC'Zh DELETE X(,CC'E \4P LOAD RESTART r LOAD TERMINATE Yw# g{+l#mCw0kYwD;?V,G4C'Tl#mXk_P INSERT X(# _PK(^DC'IT4P QUIESCE TABLESPACES FOR TABLE"RUNSTATS M LIST TABLESPACES |n# ~=#=(^ (IMPLICIT_SCHEMA) "bBn 14(B}]b1,}GZ CREATE DATABASE |nP8(K RESTRICTIVE !n,qr PUBLIC a;Zh IMPLICIT_SCHEMA }]b(^# _P IMPLICIT_SCHEMA (^DC'I(}4(Ts"8(;fZD#={F44( #=#SYSIBM I*~=4(D#=DyP_,"RZh PUBLIC ZK#=P4(T sDX(#g{}]b_P^FT,G4 PUBLIC ;PTC#=D CREATEIN X(# ~=4(C#=DC'_PTC#=D CREATEIN X(# g{}]bh*XF~=4(#=TsDC',G44(C}]b1Xk8( RESTRIC- TIVE !n#g{}]b;G^FTD,G4Xk7z PUBLIC D IMPLICIT_SCHEMA }]b(^#ZK!0P,;P}V=(IC44(#=Ts: v NNC'1,TC}]b5PT= DBADM ( ^DZ(j6+;T/ZhT PUBLIC D SETSESSIONUSER X(#b+@9yZ_ P DBADM (^DZ(j6D&CLr^(+a0Z(j6hC*NNZ(j6#1 Z(j6_P SYSADM (^+P4;T=XZh DBADM (^1,;a"zbVi v# #=X( #=X(tZTsX(`p# TsX(T>Z< 3 P# #=X(f0=T;v}]bPD#=y4PDYw#I+BPNNX(ZhC'" i"G+r PUBLIC: v CREATEIN JmC'Z#=P4(Ts# |} CONTROL (3) CONTROL (‰Š) DELETE INSERT SELECT UPDATE CONTROL (d†) (345) USE (Ž t¯) ALTERIN CREATEIN DROPIN (<) PASSTHRU () USAGE ALTER CONTROL (‹Œ) BIND EXECUTE EXECUTE CONTROL (…A) (´…、 u、µ¶) ALTER DELETE INDEX INSERT REFERENCES SELECT UPDATE ALTER DELETE INDEX INSERT REFERENCES SELECT UPDATE < 3. TsX( 36 }]b2+T8O v ALTERIN JmC'Z#=PDdTs# v DROPIN JmC'Z#=P>}Ts# #=yP__PyPb)X(,"RP+b)X(Zhd{C'D&\#Z#=Ts PY]DTs|(:m"S<"w}"Lr|"}]`M"/}"%"w"}LMp {# mUdX( mUdX(f0T}]bPmUdDYw#I+TmUdD USE X(ZhC',bJ mC'ZCmUdP4(m# 4(mUd1,dyP_;ZhTCmUdD USE X((x WITH GRANT OPTION)#Kb,5P SECADM r ACCESSCTRL (^DC'\;ZhTmUdD USE X(# 5P SYSADM r SYSCTRL (^DC'\;9CNNmUd# Z1!ivB,4(}]b1,a+TmUd USERSPACE1 D USE X(Zh PUB- LIC(d;IT7zKX()# USE X(;\dO SYSCATSPACE rNN53Y1mUd9C# mMS}|T0ZhM7zwvmX (D&\#Xk_P ACCESSCTRL r SECADM (^,E\Zh CONTROL#; vmD4(_T/SUmD CONTROL X(#v1S}P# v INDEX JmC'Tm4(;vw}#w}4(_T/_Pw}D CONTROL X(# v INSERT JmC'+PekmrS};vb|,"8(Cm*X5PD8m#C'I \;TX(DP5PKX(# v SELECT JmC'lwmrSq SELECT"UPDATE M DELETE byDYw+0lCYwD?jmMdyPSm(tP)PDP#bVP*F*If ;T#}g,Yh4(K;v`M* Employee_t D Employee m,|_P`M* Manager_t DSm Manager#-mG;VXbD01,bIa9/`M Employee_t k Manager_t .dD“`M/S`M”X5,MT&DZm Employee k Manager .dD“m/ Sm”X548>#IZbVX5,SQL i/: SELECT * FROM Employee +5X01M-mDTsj6M Employee_t tT#`FX,|BYw: UPDATE Employee SET Salary = Salary + 1000 +x-mM}=01S=;'*# T Employee _P SELECT X(DC'IT4Pbv SELECT Yw,49{GT Man- ager ;PT= SELECT X(#+G,+;Jmb`C'1ST Manager Sm4P SELECT Yw,rK,b`C'+;\CJ Manager mDNNGLPP# `FX,T Employee _P UPDATE X(DC'+\;T Manager 4P UPDATE Y w,Sx0l}fD01M-m,49CC'T Manager m;_PT=D UPDATE X (#+G,+;Jmb`C'1ST Manager Sm4P UPDATE Yw,rx,b`C '+;\|B Manager mDNNGLPP# Lr|X( Lr|G;v}]bTs,||,}]b\mwTJOZX(&CLrDnP'== CJ}]yhDE"#Lr|X(9C'\;4(MY]Lr|# C'XkT}]b_P CONNECT (^,EI9CBPNNX(: v CONTROL xC'a)XBs(">}r4PLr|D&\,T0+G)X(Zhd {C'D&\#Lr|D4(_T/SUKX(#_P CONTROL X(DC';Z h BIND M EXECUTE X(,9IT9C GRANT od+b)X(Zhd{C'# (g{9C WITH GRANT OPTION ZhX(,G4SU BIND r EXECUTE X (DC'IT@N+KX(Zhd{C'#)*Zh CONTROL X(,C'Xk_ P ACCESSCTRL r SECADM (^# v TLr|D BIND X(JmC'XBs(rs(CLr|T0mS_P`,Lr|{ M4(_DBLr|f># v EXECUTE JmC'4PrKPLr|# ":yPLr|X(JCZ2m`,Lr|{M4(_DyP VERSION# 38 }]b2+T8O }b)Lr|X(b,BINDADD }]b(^9JmC'4(BLr|rXBs(}] bPDVPLr|# 4GF}CDTsh*T|,CTsD}]4izO$li#mb,Lr|C'Xk T}]4PD}]4Ts5PJ1X(r(^6p# |,GFDLr|I\h*d{Z(=h,r*k DB2 5P}]4(E1,DB2 }] b9C/,i/#Z}]4KPLr|DZ(j6XkP!1D(^,EIZC}] 4/,4PKLr|# w}X( w}rw}f6D4(_T/SUCw}D CONTROL X(#w}D CONTROL X( 5JG>}Kw}D&\#*ZhTw}D CONTROL X(,C'Xk_P ACCESSCTRL r SECADM (^# m6p INDEX X(JmC'TCm4(w}# GF6 INDEX X(JmC'TCGF4(w}f6# rPX( rPD4(_T/SUTrPD USAGE M ALTER X(#*9CrPD NEXT VALUE M PREVIOUS VALUE mo=,h*_P USAGE X(# *Jmd{C'9C NEXT VALUE M PREVIOUS VALUE mo=,Xk+rPX( Zh PUBLIC#bMJmyPC'9C_P8(rPDmo=# rPOD ALTER X(JmC'4PngXBt/rPr|D+4rP5v?.`DN q#rPD4(_ITZhd{C' ALTER X(,"Rg{9C WITH GRANT OPTION,G4b)C'IT@N+b)X(Zhd{C'# }LX( EXECUTE X(f0TyP`MD}L(g}]bPD/}"}LM=()4PDYw# ;)_P EXECUTE X(,C'MITwC}L"4(4ZC}Lr(v&CZ/}) D/}T0ZNN DDL od(g CREATE VIEW M CREATE TRIGGER)P}C} L# (eb?f"}L"/}r=(DC'SU EXECUTE WITH GRANT X(#g{( } WITH GRANT OPTION + EXECUTE X(Zhm;vC',G4CC'IT@N + EXECUTE X(Zhd{C'# T$w:XD USAGE X( *\;9C3;$w:X,5P ACCESSCTRL"SECADM r WLMADM (^DC' IT9C GRANT USAGE ON WORKLOAD od4*C'"irG+ZhTC$w :XD USAGE X(# 1 DB2 }]b53"V`%dD$w:X1,|Malia0C'GqTC$w:X _P USAGE X(#g{a0C'TC$w:X;P USAGE X(,G4 DB2 }] b53+ZPrPmPQwB;v`%dD$w:X#;d05,a0C'Td;_ 8 USAGE X(D$w:X+;1w;fZ;y4T}# Z 1 B DB2 2+T#M 39 USAGE X(E"f"Z?ZhNNC'#;J m"vK SET WORKLOAD TO SYSDEFAULTADMWORKLOAD |n"Rda0Z(j6_P ACCESSCTRL"DATAACCESS"DBADM"WLMADM r SECADM (^DC'9C K$w:X# GRANT USAGE ON WORKLOAD M REVOKE USAGE ON WORKLOAD odT SYSDEFAULTADMWORKLOAD ;PNN0l# ;,OBDPDZ(j6 9CZ(j6P=v?D:j6MZ(li#}g,a0Z(j6CZu# TZ(j6DOBD}C (e 53Z(j6 CZ4PNNu DB2 }]b53ZDb?C'j6#53Z(j6m>4( ,SDC'#9C SYSTEM_USER (CDfw4i453Z(j6D105# ;\|D,SD53Z(j6# a0Z(j6 CZNNa0Z(liDZ(j6,a0Z(liZ,S&mZd4Pju< l i s 4 P # a0Z ( j 6 D 1 ! 5 G 5 3 Z ( j 6 D 5 # 9 C SESSION_USER (CDfw4i4a0Z(j6D105#USER (CDfw G SESSION_USER (CDfwD,eJ#IT9C SET SESSION AUTHO- RIZATION od|Da0Z(j6# 40 }]b2+T8O Lr|Z(j6 CZ+Lr|s(A}]bDZ(j6#S BIND |nD OWNER authorization id !nD5Pq!KZ(j6#Lr|Z(j6P1F*Lr|s(LrrLr |yP_# }LyP_Z(j6 P>Z53?K?VivB9CDZ(j6: CZ"vLr|D DYNAMICRULES !nD5 9CDZ(j6 RUN a0Z(j6 BIND Lr|Z(j6 DEFINERUN M INVOKERUN a0Z(j6 DEFINEBIND M INVOKEBIND Lr|Z(j6 v /, SQL(Z}LOBDP) BmT>K?VivB9CDZ(j6: CZ"vLr|D DYNAMICRULES !nD5 9CDZ(j6 DEFINERUN M DEFINEBIND }LyP_Z(j6 INVOKERUN M INVOKEBIND }LwCLrZ(j6 9C CURRENT_USER (CDfw4i4odZ(j6D105#;\1S| DodZ(j6;DB2 }]b53+T/|DCj6T43?v SQL odD TJ# 4(}]b1ZhD1!X( 4(}]b1,aZC}]bZZhz1!}]b6p(^M1!Ts6pX(# 4U+(^MX(G<=dPD53?KZhzD(^MX(: 1. SYSCAT.DBAUTH v }]b4(_;ZhBP(^: – ACCESSCTRL – DATAACCESS – DBADM – SECADM Z 1 B DB2 2+T#M 41 v ZG^(}]bP,Xbi PUBLIC ;ZhBP(^: – CREATETAB – BINDADD – CONNECT – IMPLICIT_SCHEMA 2. SYSCAT.TABAUTH ZG^(}]bP,Xbi PUBLIC ;ZhBPX(: v TyP SYSCAT M SYSIBM mD SELECT X( v TyP SYSSTAT mD SELECT M UPDATE X( v T#= SYSIBMADM PBPS}+ EMPLOYEE mD SELECT X(ZhC' HERON: Z 1 B DB2 2+T#M 43 GRANT SELECT ON EMPLOYEE TO USER HERON TB>}+ EMPLOYEE mD SELECT X(Zhi HERON: GRANT SELECT ON EMPLOYEE TO GROUP HERON 7zX( REVOKE odJmZ(C'7zH0QZhd{C'DX(# XZKNq *7zT}]bTsDX(,XkTCTs_P ACCESSCTRL (^"SECADM (^ r CONTROL X(#mUdX(9ITI_P SYSADM M SYSCTRL (^DC'7 z#"b,VP9C WITH GRANT OPTION ZhDX(";cT7zCX(#*7 zm;vC'D CONTROL X(,Xk_P ACCESSCTRL r SECADM (^#*7 z ACCESSCTRL"DATAACCESS"DBADM r SECADM (^,Xk_P SECADM (^#mUdX(;\I5P SYSADM r SYSCTRL (^DC'7z#;\7zTV PTsDX(# ":;_P ACCESSCTRL (^"SECADM (^r CONTROL X(DC';\7z {G9C WITH GRANT OPTION ZhDX(#mb,I;7zX(DKZhX(D G)K;a;7zX(# g{7zC'(_P DBADM (^)DT=ZhDm(rS<)X(,G4+;aS ZCmO(eDd{S<7zX(#bGr*S}SC' HERON 7zT EMPLOYEE m D SELECT X(: REVOKE SELECT ON EMPLOYEE FROM USER HERON TB>}Si HERON 7zT EMPLOYEE mD SELECT X(: REVOKE SELECT ON EMPLOYEE FROM GROUP HERON "bS;viP7zX(";\SCiDyPI1P7zCX(#g{vp{FQ; 1SZh;vX(,G4K{F+#t|,1=;1S7zCX(*9# g{S;vC'7zKmX(,G427zTCC'4(DNNS}Ts4\m~=(^ }]b\mw+3)X(~=XZh4(}]bTs(gmrLr|)DC'#1_ P DBADM (^DC'4(Ts1,2aZhX(#`FX,1>};vTs1,M }%KX(# XZKNq 14(DTsGm"GF"w}rLr|1,C'aSU=TCTsD CONTROL X (#1TsGS<1,;PZC'TCS<(eP}CDyPm"Sa0DK ks#Lr||,JmC'Tm`}]bTs4P;,YwDod#dP?vYwh *;vr`vX(# Zhs(Lr|DvK"PUBLIC MG+(b)G+QZhvKM PUBLIC)DX(C ZZs(2, SQL M XQuery od1li(^#(}iZhDX(T0ZhiDG+ ;CZZs(2, SQL M XQuery od1li(^# }Gs(Lr|18(K VALIDATE RUN,qr_PP'Z(j6"s(Lr|DC 'XkzcTBN;u~: v Q;Zh4PLr|P2, SQL r XQuery odyhDyPX(# v Q(}BP;nr`nDI1Jqq!XhX(: – PUBLIC – Zh PUBLIC DG+ – ZhC'DG+ g{4P BIND 18(K VALIDATE RUN,G4"GKLr|PNN2, SQL r XQuery odDyPZ('\<+Xm#m;u/,od}CKGF#1s(KLr|1,9CLr|4(_ DZ(j64i$T>XmMGFDX(,+;TGFj6D}]4Ts4Pli# 1m;vC'4PKLr|1,Yh{TCLr|_P EXECUTE X(,G4CC'; X(}T}CKmDodyvDNN=SDX(li#+G,TZ}CGFDod, 4PKLr|DC'Xk(}}]4DO$liMX(li# 1 .SQC D~v|,/, SQL M XQuery odT0mkGFDlO}C1,T>XT sMGFD DB2 }]bZ(li`F#Lr|C'Xk(}ZodZhCDNN>X 46 }]b2+T8O Ts(mMS<)DX(li,9*(}GFTsDX(li(Lr|C'Xk(} Z|,GFj6DTsD}]4&DO$liMX(li)#Zb=VivB,Lr |DC'X DB2 }]bS<#b)S}# Z 1 B DB2 2+T#M 47 rVV-r,m`KI\h*CJ STAFF mPDE"#}g: v KB?Eh*\|BMi4{vm# (}Zhi PERSONNL T STAFF mD SELECT M UPDATE X(,IT\]W XzcK*s: GRANT SELECT,UPDATE ON TABLE STAFF TO GROUP PERSONNL v vp?ED-mh*i4{G01D$JE"# IT(}*?v?E-m4(;vS<4zcK*s#}g,IT*?EE* 51 D -m4(gBS<: CREATE VIEW EMP051 AS SELECT NAME,SALARY,JOB FROM STAFF WHERE DEPT=51 GRANT SELECT ON TABLE EMP051 TO JANE _PZ({ JANE D-m+qi/ STAFF m;yi/ EMP051 S<#1CJ STAFF mD EMP051 S<1,K-ma4=gBE": {F $J 0; Fraye 45150.0 Mgr Williams 37156.5 Sales Smith 35654.5 Sales Lundquist 26369.8 Clerk Wheeler 22460.0 Clerk v yPC'C'ITC4q!{GI\^(CJD}]DCJ(DdS=(: v ?P,1!ivBa+?D}]b53P,(}9C CREATE DATABASE |nDB!n RESTRICTIVE,C'IT!qGq+?#*Ka_2+T,;&C+Z5w}LM5wmDCJ(ZhPJqDC'# v U>DAw/}:g{C'P(KPA!U>D/},"R\;mbU>G: /} 4PC/}yhD(^ db2ReadLog SYSADM r DBADM db2ReadLogNoConn ^# v 4F:4F}]1,49\#$}]2aZ?j;CYV#*Ka_2+T,&C 7#?j;CAYk4;C,y2+# v l#m:g{Z+}]0kmP18(Kl#m,P(CJl#mDC'MaqC {GI\^(CJDE"#*Ka_2+T,;&C+l#mDCJ(ZhZ(C ',"R,9Cl#mjOs&"4+d>}# v 8]mUdr}]b:P(KP BACKUP DATABASE |nDC'\;4(}]brmU dD8](|,NN\#$}])"+C}]4-=p]I\|,C'^( Td{==CJD}]# 5P SYSADM"SYSCTRL r SYSMAINT (^DC'IT4P BACKUP DATABASE |n# v hCa0(^:Z DB2 (C}]b V8 r|gf>P,_P DBADM (^DC' IT9C SET SESSION AUTHORIZATION SQL od4hCNN}]bC'Da0 Z(j6#Z DB2 V9.1 r|_f>D}]b53P,Xk(} GRANT SETSESSIONUSER odT=XTC'Z(,by{GE\hCa0Z(j6# +G,Z+VP V8 }]b}6= DB2 V9.1 r|_f>D}]b531,5PV PT= DBADM (^(}g,Z SYSCAT.DBAUTH PZhKK(^)DC'T\ ;+a0Z(j6hC*NN}]bC'j6#JmbyvD?DG9VP&CL rT\;}#KP#IZ\;hCa0Z(j6,rK1ZXJmC'CJyP\ #$}]#*Ka_2+T,IT(}4P REVOKE SETSESSIONUSER SQL od 42GKhC# v x ( ` S : Z DB2 } ] b \ m 5 3 D x ( ` S n / P , g { 8 ( K HIST_AND_VALUES U/6p,Ma+kN}jGX*D54A`Sdv#52+ 6k=x(B~`Swy6qDodD>P#ZG,\;CJ`SdvDC'M\ CJ{GI\^(CJDE"# v n/`S:Z9Cn/B~`SwD DB2 }]b\m53D`Sn/P,g{8( K VALUE Sd,Ma+kN}jGX*D54A`Sdv;g{8(K WITH DETAILS Sd,Ma+odD>(dPI\|,dk}]5)4A`Sdv#ZG, \;CJ`SdvDC'M\CJ{GI\^(CJDE"#*Ka_2+T,; &C+ CREATE EVENT MONITOR odT0NNB~`SwmDCJ(ZhPJ qDC'# v Lr|_Y:f`S:Z9CLr|_Y:fB~`Sw`S DB2 }]b\m53 PDLr|_Y:f1,;*SLr|_Y:fP/vK;vZ,Ma+odD> (dPI\|,dk}]5)4A`Sdv#*Ka_2+T,;&C+ CREATE EVENT MONITOR odT0NNB~`SwmDCJ(ZhPJqDC'# v `Swm/}"S104Pod rLr|_Y:fPodDodD># Z 1 B DB2 2+T#M 51 – SYSPROC.MON_GET_ACTIVITY_DETALS – SYSPROC.MON_GET_PKG_CACHE_STMT – SYSPROC.MON_GET_PKG_CACHE_STMT_DETALS – SYSIBMADM.MON_PKG_CACHE_SUMMARY – SYSIBMADM.MON_CURRENT_SQL – SYSIBMADM.MON_LOCKWAITS – SYSIBMADM.MONREPORT.LOCKWAIT – SYSIBMADM.MONREPORT.CURRENTSQL – SYSIBMADM.MONREPORT.PKGCACHE odD>I\|,dk}]5#*Ka_2+T,;&C+b)m/}M(fD EXECUTE X(T0b)Sdk}]5# v db2cat:db2cat $_C4*"mD9uhv{#mD9uhv{|,3FE",b )3FE"I\a86PXmZ]DE"#ZG,KP db2cat $_r_P(CJd vDC'M\CJ{GI\^(CJDE"# }]S\ DB2 }]b53a)KtI=(4Tf"wPD}]M(}xg+dD}]xPS\# Tf"wPD}]xPS\ IT!qBP=(4Tf"wPD}]xPS\: v IT9CS\Mb\ZC/} ENCRYPT"DECRYPT_BIN"DECRYPT_CHAR M GETHINT 4T}]bmPD}]xPS\# v IT9C IBM Database Encryption Expert 4TWcYw53}]M8]D~xPS \# v g{Z AIX Yw53OKP DB2 Enterprise Server Edition 53,"RvX"D~ 6pS\,G4I9CS\D~53 (EFS) 4TYw53}]M8]D~xPS\# T+dD}]xPS\ *TZM'zk DB2 }]b.d+dD}]xPS\,IT9C DATA_ENCRYPT O $`M,r_9C DB2 }]b53T“2+WSVc”(SSL) D'V# 52 }]b2+T8O 9C ENCRYPT"DECRYPT_BIN"DECRYPT_CHAR M GETHINT / } ENCRYPT ZC/}9CyZ\kDS\=(T}]xPS\#b)/}9Jmzb0 \ka>#\ka>6kZS\}]P#;)S\,T}]xPb\D(;==G( }9C}7D\k4b\#!q9Cb)/}D*"_&CT|GD\kM;\CD }]gN\mxPF.# ENCRYPT /}Da{G VARCHAR FOR BIT DATA(ns$H* 32631 VZ)# ;\S\ CHAR"VARCHAR M FOR BIT DATA# DECRYPT_BIN M DECRYPT_CHAR /}9CyZ\kDb\T}]xPb\# DECRYPT_BIN N}1,a{D$H I\G}]Td?D$HSO 40 YSO=B;v 8 VZ_gDVZ}#r_,g{4 8(I!a>N},a{D$HI\G}]Td?D$HSO 8 YSO=B;v 8 V Z_gDVZ}# GETHINT /}5Xb0D\ka>#\ka>G+oz}]yP_Xdp\kDLo# }g,IT+“s#”bv%JCwXd\k“+=s”Da># TBP=V==.;7(CZT}]S\D\k: v \kTd?#\kG1wC ENCRYPT /}1T=+MDV{.#9CxvD\kT }]xPS\Mb\# v S\\k(CDfw#SET ENCRYPTION PASSWORD odT\k5xPS\," +S\sD\k"MA}]b\mwTf"Z(CDfwP#49C\kN}wC D ENCRYPT"DECRYPT_BIN M DECRYPT_CHAR /}9C ENCRYPTION PASSWOED (CDfwPD5#ENCRYPTION PASSWORD (CDfw;TS\ q=f"# (CDfwDuDP'$HZ 0 M 32 .d, |( 0 M 32# dC DB2 5}PD2+WSVc (SSL) 'V DB2 }]b53'V SSL,bb6E2'V SSL D DB2 M'z&CLrIT9C SSL WSV,SA DB2 }]b#CLI"CLP M .Net Data Provider M'z&CLrM 9C IBM }]~qw JDBC M SQLJ }/Lr(4 `,S)D&CLr'V SSL# *<.0 ZdC SSL 'V.0,k4PBP=h: Z 1 B DB2 2+T#M 53 v Z Windows =(O,7# IBM Global Security Kit (GSKit) bD76vVZ PATH 73d?P;Z Linux M UNIX =(O,7#C76vVZ LIBPATH"SHLIB_PATH r LD_LIBRARY_PATH 73d?P#120 DB2 }]b531,aT/|( GSKit# Z Windows 32 ;=(O,GSKit b;Z C:\Program Files\IBM\GSK8\lib P#Z KivB,53 PATH Xk|( C:\Program Files\IBM\GSK8\lib#Z Windows 64 ;=(O,64 ; GSKit b;Z C:\Program Files\IBM\GSK8\lib64 P,x 32 ; GSKit b;Z C:\Program Files (x86)\IBM\GSK8\lib P# Z UNIX M Linux =(O,GSKit b;Z sqllib/lib/gskit P# ZG Windows =(O,DB2 }]b\mwT>X==20 GSKit,TZx(5}, GSKit b+;Z sqllib/lib/gskit r sqllib/lib64/gskit P#;PX*Z+V; C20 GSKit Dm;v1>4tC5}#g{fZ GSKit D+V1>,k9+V GSKit kV? GSKit &Z,;f># v 7#4$n,S/Pw#g{}ZKP,S/Pw,+;aZ DB2 5}PtC SSL 'V# *7(Gq$nK,S/Pw,k"v GET DATABASE MANAGER CONFIGURATION |n# g{+dCN} max_connections D5hC*sZ max_coordagents D5,G4a $n,S/Pw# XZKNq SSL (E+ks;\9C SSL#+G,T?j~qwDv >ksIT9C SSL# _ICTVQV4 (HADR) 53D SSL 'V ZM'zk HADR w~qw.d'V SSL#,SA9C SSL D HADR w~ qwDM'z\;XB7IA9C SSL D HADR 8C}]b#+G,Z HADR w~qwk HADR 8C~qw.d;'V SSL# GSKit $_ GSKCapiCmd DD5 PX GSKit $_ GSKCapiCmd DE",kNDTBx7a)D GSKCapiCmd User’s Guide:ftp://ftp.software.ibm.com/software/webserver/appserv/library/v80/ GSK_CapiCmd_UserGuide.pdf# 54 }]b2+T8O dC SSL 'V *KdC SSL 'V,zWH4(\?}]b4\m}V$i#b)$iMS\ \?CZ(" SSL ,S#dN,DB2 5}yP_Xk* SSL 'VdC DB2 5}# }L 1. 4(\?}]b"hC}V$i# a. 9C GSKCapiCmd $_44(\?}]b#|Xk*$i\m53 (CMS) `M D\?}]b# GSKCapiCmd *GyZ Java D|nP$_,;h*Z53O2 0 Java M\9CK$_# z9C gskcapicmd |n4wC GSKCapiCmd,g GSKCapiCmd User’s Guide Pyv#Z Linux M UNIX =(O,C|nD76* sqllib/gskit/bin,Z 32 ;M 64 ; Windows =(O,r* C:\Program Files\IBM\GSK8\bin#(Z 64 ;=(O,9fZ 32 ; GSKit I4PD~Mb;ZKivB,C|nD76* C:\Program Files (x86)\IBM\GSK8\bin#)k7# PATH(Z Windows =(O) |(}7D GSKit b76;LIBPATH"SHLIB_PATH r LD_LIBRARY_PATH (Z UNIX r Linux =(O)|(}7D GSKit b76,}g,sqllib/lib64/ gskit# } g , T B | n 4 ( F * mydbserver.kdb D \ ? } ] b T 0 F * mydbserver.sth D~XD~: gsk8capicmd_64 -keydb -create -db "mydbserver.kdb" -pw "myServerPassw0rdpw0" -stash -stash !naZ\?}]byZD76O4(~XD~,dD~)9{* .sth# 5}t/1,GSKit a9C~XD~4q!\?}]bD\k# ":&CT~XD~9C?D~53#$#1!ivB,;P5}yP_E_ PCJKD~D(^(A4CJ()# 14(\?}]b1,aT/9C4T;)ng Verisign .`DO$PD (CA) D)p_$iT|xPnd# b. +~qwD$imSA\?}]b#Z SSL UVZd,~qwa+K$i"M AM'z4*~qwa)O$# *q!$i,IT9C GSKCapiCmd 44(B D$iks"+|a;A CA Tc)p,2IT4(T){$iTCZbT# }g,*4(j)* myselfsigned DT){$i,k4TB>}Py>D==9 C GSKCapiCmd |n: gsk8capicmd_64 -cert -create -db "mydbserver.kdb" -pw "myServerPassw0rdpw0" -label "myselfsigned" -dn "CN=myhost.mycompany.com,O=myOrganization, OU=myOrganizationUnit,L=myLocation,ST=ON,C=CA" c. +UE4(D$ii!AD~,TcI+|V"xKPM'z(+k DB2 ~q w(" SSL ,S)DFcz# }g,TB GSKCapiCmd |n+$ii!AF* mydbserver.arm DD~: gsk8capicmd_64 -cert -extract -db "mydbserver.kdb" -pw "myServerPassw0rdpw0" -label "myselfsigned" -target "mydbserver.arm" -format ascii -fips 2. *kT SSL 'VhC DB2 ~qw,T DB2 5}yP_m]G<"hCBPdC N}M DB2COMM "amd?# Z 1 B DB2 2+T#M 55 a. + ssl_svr_keydb dCN}hC*\?}]bD~Dj<76# }g: db2 update dbm cfg using SSL_SVR_KEYDB /home/test/sqllib/security/keystore/key.kdb g{ ssl_svr_keydb * NULL(4hC),G4;atC SSL 'V# b. + ssl_svr_stash dCN}hC*~XD~Dj<76# }g: db2 update dbm cfg using SSL_SVR_STASH /home/test/sqllib/security/keystore/mydbserver.sth g{ ssl_svr_stash * NULL(4hC),G4;atC SSL 'V# c. + ssl_svr_label dCN}hC*~qwD}V$iDj),Z=h 1 PQm SC}V$i# g{4hC ssl_svr_label,G4a9C\?}]bPD1!$ i#g{\?}]bP;fZNN1!$i,G4;atC SSL# }g:db2 update dbm cfg using SSL_SVR_LABEL myselfsigned,dP myselfsigned Gy >j)# d. + ssl_svcename dCN}hC* DB2 }]b53&CxPl}Tq! SSL , SDKZ# g{,1tCK TCP/IP M SSL(DB2COMM "amd?hC*“TCPIP, SSL”),G4Xk+ ssl_svcename *k* svcename hCDKZ;,DKZ# svcename dCN}hC DB2 }]b53xPl}Tq! TCP/IP ,SDKZ# g{+ ssl_svcename k svcename hC*,;KZ,G4+;atC TCP/IP M SSL .PDNN;n# g{ ssl_svcename * NULL(4hC),G4;at C SSL 'V# ":Z HADR 73P,k;*Twr8C}]b53+ hadr_local_svc hC *T ssl_svcename hCD5#mb,k;*+ hadr_local_svc hC* svcename D5r svcename D5S;# ":1 DB2COMM "amd?hC*“TCPIP,SSL”1,g{4}7tC TCPIP ' V(}g,IZ svcename dCN}hC* NULL),G4a5Xms SQL5043N "R;atC SSL 'V# e. (I!)g{*8(~qwIT9CD)\kW~,G4hC ssl_cipherspecs dCN}# g{+ ssl_cipherspecs #t* NULL(4hC),G4bJm GSKit 9C,1\M'zM~qw'VDn?IC\kW~# kNDZ 66 3D :\'VD\kW~;,Tq!PXD)\kW~ICDE"# f. +5 SSL mSA DB2COMM "amd?# }g: db2set -i db2inst1 DB2COMM=SSL dP db2inst1 G DB2 5}{F# }]b\mwIT,1'V`v-i#}g, *,1tC TCP/IP M SSL (E-i: db2set -i db2inst1 DB2COMM=SSL,TCPIP g. XBt/ DB2 5}# }g: db2stop db2start >} TB>}]>KgNT>$i#K>}9CITB|n4(DT){$i: 56 }]b2+T8O gsk8capicmd_64 -cert -create -db "mydbserver.kdb" -pw "mydbserverpw0" -label "myselfsigned" -dn "CN=myhost.mycompany.com,O=myOrganization, OU=myOrganizationUnit,L=myLocation,ST=ON,C=CA" *T>$i,k"vTB|n: gsk8capicmd_64 -cert -details -db "mydbserver.kdb" -pw "mydbserverpw0" -label "myselfsigned" dvT>gB: label : myselfsigned key size : 1024 version : X509 V3 serial : 96c2db8fa769a09d issue:CN=myhost.mycompany.com,O=myOrganization,OU=myOrganizationUnit, L=myLocation,ST=ON,C=CA subject:CN=myhost.mycompany.com,O=myOrganization,OU=myOrganizationUnit, L=myLocation,ST=ON,C=CA not before : Tuesday, 24 February 2009 17:11:50 PM not after : Thursday, 25 February 2010 17:11:50 PM public Key 30 81 9F 30 0D 06 09 2A 86 48 86 F7 0D 01 01 01 05 00 03 81 8D 00 30 81 89 02 81 81 00 B6 B8 DC 79 69 62 C9 A5 C1 5C 38 31 53 AB 27 BE 63 C0 DB DE C6 BC 2E A4 0D 37 45 95 22 0E 83 32 FE 67 A9 2F D7 51 FF 40 A3 76 68 B9 E3 34 CB 7D 4A D8 38 CA B1 6B 32 66 74 8F E2 B8 DA 8F D0 F3 62 04 BE C4 FE 80 2A D0 FF 27 72 37 9A 36 1D DB D3 A1 33 A1 A6 48 33 E9 64 B9 9B 6B DB 08 60 7D 5E 0E 20 0A 26 AA 62 3A DF D3 78 56 DC 15 DE 9F 0B 91 DD 3B 1B 2B E2 82 FA 24 FF 81 A3 F7 3F C1 02 03 01 00 01 public key type : RSA : 1.2.840.113549.1.1.1 finger print : SHA1 : 2D C1 93 F8 AC A0 8F E2 C2 05 D8 23 D7 5D 87 E6 82 3C 47 EC signature algorithm : SHA1WithRSASignature : 1.2.840.113549.1.1.5 value 0E 80 24 98 F6 6E 89 43 76 57 76 7F 82 95 18 6A 43 A5 81 EC F4 82 1F 1F F2 3F E5 61 67 48 C0 59 94 17 8E 8F DE 4F 7C 35 0C 5D A7 98 73 2A 34 7D 1E BA 53 78 A5 E4 31 45 D1 08 86 BE 5E 57 C6 9D B5 E7 A7 01 3F 54 01 5E 8F 8B 2F 66 19 24 1E A4 94 58 B0 D4 40 95 AB 98 C2 EF 1C 5C 4A 29 48 EC 8C C0 A2 B1 AC 2A E9 3C 14 E5 77 B2 A6 55 A8 21 CB 59 81 86 79 F0 46 35 F8 FC 99 2D EC D4 B9 EB Trusted : enabled **zD~qwqC CA ){$i(zfT){$i),h*zI$i){ks"r* { CA(g VeriSign)'6QCTqC$i){#ZzqCQ){D$is,h*+d SUA~qw\?}]b#TB>}]>KgNksMSU$i#C>}P9CK$ iDTCf># 1. WH,* mydbserver.kdb 4($i){ks (CSR)#TB|nCZZ8(\?}] bP4(B RSA =K/+C\?TM PKCS10 $iks#TZ CMS \?}]b, $iksE"+#fZ)9{*“.rdb”DD~P#I -file !n8(DD~*h*" MA CA DD~# gsk8capicmd_64 -certreq -create -db "mydbserver.kdb" -pw "mydbserverpw0" -label "mycert" -dn "CN=myhost.mycompany.com, O=myOrganization,OU=myOrganizationUnit,L=myLocation,ST=ON,C=CA", -file "mycertRequestNew" TB|n+Pv my db ~qwD$iksDj8E": Z 1 B DB2 2+T#M 57 gsk8capicmd_64 -certreq -details -showOID -db "mydbserver.kdb" -pw "mydbserverpw0" -label "mycert" dv+T>gB: label : mycert key size : 1024 subject : Common Name (CN): Type : 2.5.4.3 Value: myhost.mycompany.com Organization (O): Type : 2.5.4.10 Value: myOrganization Organizational Unit (OU): Type : 2.5.4.11 Value: myOrganizationUnit Locality (L): Type : 2.5.6.3 Value: myLocation State (ST): Type : ? Value: Ontario Country or region (C): Type : 2.5.4.6 Value: CA public Key 30 81 9F 30 0D 06 09 2A 86 48 86 F7 0D 01 01 01 05 00 03 81 8D 00 30 81 89 02 81 81 00 9C B4 62 3C 89 02 4E B0 D8 EA 0B B8 CC 70 63 4A 59 1F 0F FD 98 9A 1A 39 94 E3 43 C1 63 7A CD 21 47 57 D9 86 6F 11 B8 91 08 AC E3 E2 21 32 FE 43 1F 07 C9 F5 40 6B 3E 4D 56 35 05 62 D6 78 0B E3 97 28 F7 27 31 A4 05 BE F2 3A 44 6B D8 D1 FF 1E DA 59 63 E6 49 52 39 45 9C 1E 8E CC DA A1 D9 0F 3A 96 09 66 5C 89 23 2E EE 31 65 8D 87 8E B9 61 C6 69 BC A5 DB EB 03 16 E6 33 85 14 68 BC DD F1 02 03 01 00 01 finger print : e0dcde10ded3a46a53c0190e84cc994e 5d7e4bad attributes signature algorithm1.2.840.113549.1.1.5 value 4F 06 B4 E3 1F 00 B4 81 90 CC A2 99 4A 02 68 D0 84 B5 7F 33 0B F0 04 D5 7D 4C 5C CB 5C D3 37 77 E2 6D 10 17 50 19 D0 7F 61 C7 C8 54 7B DB CD 6F 47 9F 7E 7E 5A CC 64 20 85 95 A8 5E C7 7D FB F4 8A 7F 4B 74 6F 0A C6 EF 09 E7 0A 15 17 CC 1D D2 5D ED 02 A1 BE 1D FC F2 65 EB 0D E2 93 BC 88 4C 4C 73 76 16 9F 1B 12 3B 7A 01 CF E0 63 97 E8 38 02 FB 47 EE F2 17 54 66 4D F7 7F 9E 13 DA 76 A2 *T>$iksD~: $ cat mycertRequestNew -----BEGIN NEW CERTIFICATE REQUEST----- MIIBrjCCARcCAQAwbjELMAkGA1UEBhMCQ0ExEDAOBgNVBAgTB09udGFyaW8xEDAO BgNVBAcTB01hcmtoYW0xDDAKBgNVBAoTA0lCTTEMMAoGA1UECxMDREIyMR8wHQYD VQQDExZnaWxlcmEudG9yb2xhYi5pYm0uY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GN ADCBiQKBgQCctGI8iQJOsNjqC7jMcGNKWR8P/ZiaGjmU40PBY3rNIUdX2YZvEbiR CKzj4iEy/kMfB8n1QGs+TVY1BWLWeAvjlyj3JzGkBb7yOkRr2NH/HtpZY+ZJUjlF nB6OzNqh2Q86lglmXIkjLu4xZY2Hjrlhxmm8pdvrAxbmM4UUaLzd8QIDAQABoAAw DQYJKoZIhvcNAQEFBQADgYEATwa04x8AtIGQzKKZSgJo0IS1fzML8ATVfUxcy1zT 58 }]b2+T8O N3fibRAXUBnQf2HHyFR7281vR59+flrMZCCFlahex3379Ip/S3RvCsbvCecKFRfM HdJd7QKhvh388mXrDeKTvIhMTHN2Fp8bEjt6Ac/gY5foOAL7R+7yF1RmTfd/nhPa dqI= -----END NEW CERTIFICATE REQUEST----- g{zh*>}$iks,k9C`FTB>}D|n: gsk8capicmd_64 -certreq -delete -db "mydbserver.kdb" -pw "mydbserverpw0" -label "mycert" 2. ;s,CJ VeriSign Web >c"xP"a,K>c+*sztP"3yksD~T a;ks#TZTCf>,z+U=;b|,Q){D$iDgSJ~#CgSJ ~9|,CZBXTCy CA $i0TCPd CA $iD4S#9CGB>r vi +yP}v$i<#fAD~P: v RootCert.arm v IntermediateCert.arm v MyCertificate.arm b}v$iiI;vEN4# 9CTB|n+TCy CA $imSA mydbserver.kdb: gsk8capicmd_64 -cert -add -db "mydbserver.kdb" -pw "mydbserverpw0" -label "trialRootCACert" -file RootCert.arm -format ascii 9CTB|n+TCPd CA $imSA mydbserver.kdb: gsk8capicmd_64 -cert -add -db "mydbserver.kdb" -pw "mydbserverpw0" -label "trialIntermediateCACert" -file IntermediateCert.arm -format ascii 9CTB|n+TC$iSUA mydbserver.kdb: $ cat SSLCertificate.cer2 -----BEGIN CERTIFICATE----- MIIFVjCCBD6gAwIBAgIQdOydrySM+J4uUPNzbPHhVjANBgkqhkiG9w0BAQUFADCB yzELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMTAwLgYDVQQL EydGb3IgVGVzdCBQdXJwb3NlcyBPbmx5LiAgTm8gYXNzdXJhbmNlcy4xQjBABgNV BAsTOVRlcm1zIG9mIHVzZSBhdCBodHRwczovL3d3dy52ZXJpc2lnbi5jb20vY3Bz L3Rlc3RjYSAoYykwNTEtMCsGA1UEAxMkVmVyaVNpZ24gVHJpYWwgU2VjdXJlIFNl cnZlciBUZXN0IENBMB4XDTA5MDIyMzAwMDAwMFoXDTA5MDMwOTIzNTk1OVowgaox CzAJBgNVBAYTAkNBMRAwDgYDVQQIEwdPbnRhcmlvMRAwDgYDVQQHFAdNYXJraGFt MQwwCgYDVQQKFANJQk0xDDAKBgNVBAsUA0RCMjE6MDgGA1UECxQxVGVybXMgb2Yg dXNlIGF0IHd3dy52ZXJpc2lnbi5jb20vY3BzL3Rlc3RjYSAoYykwNTEfMB0GA1UE AxQWZ2lsZXJhLnRvcm9sYWIuaWJtLmNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAw gYkCgYEAnLRiPIkCTrDY6gu4zHBjSlkfD/2Ymho5lONDwWN6zSFHV9mGbxG4kQis 4+IhMv5DHwfJ9UBrPk1WNQVi1ngL45co9ycxpAW+8jpEa9jR/x7aWWPmSVI5RZwe jszaodkPOpYJZlyJIy7uMWWNh465YcZpvKXb6wMW5jOFFGi83fECAwEAAaOCAdcw ggHTMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgWgMEMGA1UdHwQ8MDowOKA2oDSGMmh0 dHA6Ly9TVlJTZWN1cmUtY3JsLnZlcmlzaWduLmNvbS9TVlJUcmlhbDIwMDUuY3Js MEoGA1UdIARDMEEwPwYKYIZIAYb4RQEHFTAxMC8GCCsGAQUFBwIBFiNodHRwczov L3d3dy52ZXJpc2lnbi5jb20vY3BzL3Rlc3RjYTAdBgNVHSUEFjAUBggrBgEFBQcD AQYIKwYBBQUHAwIwHwYDVR0jBBgwFoAUZiKOgeAxWd0qf6tGxTYCBnAnh1oweAYI KwYBBQUHAQEEbDBqMCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC52ZXJpc2lnbi5j b20wQgYIKwYBBQUHMAKGNmh0dHA6Ly9TVlJTZWN1cmUtYWlhLnZlcmlzaWduLmNv bS9TVlJUcmlhbDIwMDUtYWlhLmNlcjBuBggrBgEFBQcBDARiMGChXqBcMFowWDBW FglpbWFnZS9naWYwITAfMAcGBSsOAwIaBBRLa7kolgYMu9BSOJsprEsHiyEFGDAm FiRodHRwOi8vbG9nby52ZXJpc2lnbi5jb20vdnNsb2dvMS5naWYwDQYJKoZIhvcN AQEFBQADggEBAKs1YpIeOAL6mTryIXpYfokkzRdwP5ooDutHhVbRYcPwq9ynOrHM 3gZolv8th5PpSkZAGTPr3HJZG6HnxRiQjPT88PAADR3SEzVMzQEESHfYToF1qBPZ svigphI9eIHcg5IWwv7dyuXtkFGbTCqcvEqJiT3UHhubgMfoTuTGayhNoGt75FGU h4kSJz3af6MNuGmQLs4wzJTepU7srlhGV1C1ujTCydax2BiWfWwO4YaFcckvHxbR 6I7vVj1PTC2RO8n5qcWJYmGU0PG3d58hJETD4E8tAReh21ShBWDgn4+e0k1XtQ8K lB66QpsFYGTLtGyd/4w4BAgq/QLmcs+mpjc= Z 1 B DB2 2+T#M 59 -----END CERTIFICATE----- gsk8capicmd_64 -cert -receive -file MyCertificate.arm -db "mydbserver.kdb" -pw "mydbserverp -format ascii 9CTB|nPv mydbserver.kdb PDyP$i: gsk8capicmd_64 -cert -list all -db "mydbserver.kdb" -pw "mydbserverpw0" certificates found * default, - personal, ! trusted -! mycert ! trialIntermediateCACert ! trialRootCACert -! myselfsigned db2 update dbm cfg using SSL_SVR_LABEL mycert ZG Java DB2 M'zPdC2+WSVc (SSL) 'V IT+ng CLI"CLP M .Net Data Provider M'z.`D DB2 }]bM'zdC* 'V2+WSVc (SSL) Tck DB2 ~qwxP(E# *<.0 ":g{ V9.7 D DB2 M'zr DB2 Connect ~qwk z/OS V1.8"V1.9 r V1.10 53O DB2 z/OS f~qw(" SSL ,S,G4Xk+ APAR PK72201 D`& PTF &CZ Communication Server for z/OS IP Services# ":IZ GSKit V8 k GSKit 7.0.4.20 .0D GSKit V7d ;f],k IDS }]~q w(9C GSKit 7.0.4.20 .0D GSKit V7d)D CLI &CLr,S+'\#*@}C Jb,k+ IDS }]~qwOD GSKit b}6= GSKit 7.0.4.20 r|_f> Z*M'zdC SSL 'V.0,k4PBP=h: v g{M'zM~qw;Z,;omFczO,G4;h*20 GSKit,r* GSKit Q T/f DB2 ~qw;pxPK20# T V9.7 FP1 p,1z20 DB2 ~qwD 64 ;f>1,20P+T/|( 32 ; GSKit b#*9Cb)b,Z Linux M UNIX Yw53O,Xk7#Q}7hC LD_LIBRARY_PATH"LIBPATH r SHLIB_PATH 73d?#Z Windows Yw53O,k 7#Q}7hC PATH 73d?,gBmPy># &CLr Yw53 GSKit bD;C 73d?hC 32 ; Linux M UNIX 64 ; $INSTHOME/sqllib/lib32/ gskit Z LD_LIBRARY_PATH"LIBPATH r SHLIB_PATH 73d?P|( $INSTHOME/sqllib/lib32/gskit# 64 ; Linux M UNIX 64 ; $INSTHOME/sqllib/lib64/ gskit Z LD_LIBRARY_PATH"LIBPATH r SHLIB_PATH 73d?P|( $INSTHOME/sqllib/lib64/gskit# 32 ; Windows 64 ; C:\Program Files (x86)\IBM\ GSK8\lib Z PATH 7 3 d ? P | ( C:\Program Files (x86)\IBM\GSK8\ lib 64 ; Windows 64 ; C:\Program Files\IBM\GSK8\ lib64 Z PATH 7 3 d ? P | ( C:\Program Files\IBM\GSK8\ lib64 60 }]b2+T8O SSL (E+X==20 GSKit,TZx(5}, GSKit b+;Z sqllib/lib/gskit r sqllib/lib64/gskit P#;PX*Z+V; C20 GSKit Dm;v1>#g{fZ GSKit D+V1>,k9+V GSKit kV ? GSKit &Z,;f># v 1+M'z20Zm;(FczO1,g{yZ“C”DM'z9C SSL 4k~qw( E,G4TZb)M'z,Xk20 GSKit#ITS“IBM DB2 Support Files for SSL Functionality DVD”20 GSKit b#r_,IT(}QS Passport Advantage® BX D3qxP20# – Z Windows O,7# IBM Global Security Kit (GSKit) bD76vVZ PATH 7 3d?P;Z Linux M UNIX O,7#C76vVZ LIBPATH"SHLIB_PATH r LD_LIBRARY_PATH 73d?P#}g,Z Windows O,+ GSKit bin M lib ? c4jIKNq# 2. Z DB2 M'zO,9C GSKCapiCmd $_44(`M* CMS D\?}]b# GSKCapiCmd $_*GyZ Java D|nP$_(;h*Z53O20 Java M\9 CK$_)# z9C gskcapicmd |n4wC GSKCapiCmd,g GSKCapiCmd User’s Guide P yv#Z Linux M UNIX Yw53O,C|nD76* sqllib/gskit/bin,Z 32 ;M 64 ; Windows Yw53O,K76* C:\Program Files\IBM\GSK8\bin#(Z 64 ;Yw53O,9fZ 32 ; GSKit I4PD~Mb;ZKivB,C|nD 76* C:\Program Files (x86)\IBM\GSK8\bin#) Z 1 B DB2 2+T#M 61 }g,TB|n4(F* mydbclient.kdb D\?}]bT0F* mydbclient.sth D~XD~: gsk8capicmd_64 -keydb -create -db "mydbclient.kdb" -pw "myClientPassw0rdpw0" -stash -stash !naZ\?}]byZD76O4(~XD~,dD~)9{* .sth#Z ,S1,GSKit a9C~XD~4q!\?}]bD\k# 3. +)p_$imS=M'z\?}]bP }g,TB gsk8capicmd |na+C$iSD~ mydbserver.arm }P y># >} CLP M6k= SQL M'z CLP M'zM6k= SQL M'zIT,SA6LwzOD}]b,Q9C CATALOG TCPIP NODE |n+C6LwzmSAZc?<#"v CATALOG TCPIP NODE |n,SECURITY X|VhC* SSL TTC,S8( SSL# TB>}]>KgN`?ZcM}]b,Tc CLP M'zIT9C SSL ,S 4k|G(",S# WH,`?ZcM}]b,TcM'z&CLrIk|G(" SSL ,S: catalog TCPIP NODE mynode REMOTE 127.0.0.1 SERVER 50001 SECURITY SSL catalog DATABASE sample AS myssldb AT NODE mynode AUTHENTICATION SERVER SE,9C ssl_clnt_keydb M ssl_clnt_stash dCN}48(M'z\? }]bM~XD~#z+ ssl_clnt_keydb dCN}hC*\?}]bD~ (.kdb) Dj<76"+ ssl_clnt_stash dCN}hC*~XD~Dj<76# db2 update dbm cfg using SSL_CLNT_KEYDB /home/test1/sqllib/security/keystore/clientkey.kdb SSL_CLNT_STASH /home/test1/sqllib/security/keystore/clientstore.sth g{ ssl_clnt_keydb r ssl_clnt_stash dCN}* NULL(4hC),, S+'\"5Xms SQL10013N,jG* GSKit Error: GSKit_return_code# ;s,S CLP M'z,SA~qw: db2 connect to myssldb user user1 using password r_,6k= SQL &CLrI9CTBod4xP,S: Strcpy(dbAlias,"myssldb"); EXEC SQL CONNECT TO :dbAlias USER :user USING :pswd; CLI/ODBC M'z&CLr y]KP CLI &CLrD73,z9C,SV{.N}(ssl_client_keystoredb M ssl_client_keystash)r DB2 dCN}(ssl_clnt_keydb M ssl_clnt_stash) 48(M'z\?}]b76M~XD~76# 62 }]b2+T8O v g{9C IBM Data Server Driver for ODBC and CLI,G49C,SV{ .N},gTB>}Py>: (}|, SECURITY=SSL X|VD,SV{.4wC SQLDriverConnect#} g: "Database=sampledb; Protocol=tcpip; Hostname= myhost; Servicename=50001; Security=ssl; Ssl_client_keystoredb=/home/test1/keystore/clientstore.kdb; Ssl_client_keystash=/home/test1/keystore/clientstore.sth;" ZKivB,r*8(K Security=ssl,yTXkhC ssl_client_keystoredb M ssl_client_keystash ,SV{.N},qr,,S+'\# v g{9C IBM }]~qwM'zr IBM Data Server Runtime Client,G4 I9C,SV{.N}r DB2 dCN}4hCM'z\?}]b76Mf" D~76#g{hCK ssl_client_keystoredb M ssl_client_keystash , SV{.N},G4|Ga2GI ssl_clnt_keydb r ssl_clnt_stash d CN}hCDNN5# K>}9C db2cli.ini D~4hC,SV{.N}: [sampledb] Database=sampledb Protocol=tcpip Hostname=myhost Servicename=50001 Security=ssl SSL_client_keystoredb=/home/test1/keystore/clientstore.kdb SSL_client_keystash=/home/test1/keystore/clientstore.sth K>}9C FileDSN CLI/ODBC X|V4j6|,}]b,SE"D DSN D~,CD~hC,SV{.N}#}g,C DSN D~4p4I\kBfD Z]`F: [ODBC] DRIVER=IBM DB2 ODBC DRIVER – DB2COPY1 UID=user1 AUTHENTICATION=SERVER PORT=50001 HOSTNAME=myhost PROTOCOL=TCPIP DATABASE=SAMPLEDB SECURITY=SSL SSL_client_keystoredb=/home/test1/keystore/clientstore.kdb SSL_client_keystash=/home/test1/keystore/clientstore.sth Z b ) i v B , r * 8 ( K Security=ssl, y T g { ; P h C ssl_client_keystoredb M ssl_client_keystash ,SV{.N}"R2; PhC ssl_clnt_keydb M ssl_clnt_stash dCN},G4,S+'\# yZ$iDO$ S DB2 V9.7 FP6 *<,Z db2dsdriver.cfg O$N}P}kKBDO$` M“CERTIFICATE”,gTBo(Py>: yZ$iDO$Jmz9C SSL M'zO$,x;h*Z}]bM'zOa) }]b\k#dCyZ$iDO$Ta)O$E"1,;\TNNd{==8 (\k(gZ db2dsdriver.cfg dCD~"db2cli.ini dCD~r,SV{. P)#IZO$N}h*8(j),yT9}kKBD}]~qw}/Lrd Z 1 B DB2 2+T#M 63 CN} SSLClientLabel#g{8(K CERTIFICATE,G49XkZ CLI dC D~ db2cli.ini PrZ}]~qw}/LrdCD~ db2dsdriver.cfg P8 (BDj)N} SSLCLientLabel# S DB2 V9.7 FP6 *<,}kKBDX|V SSLClientKeyStoreDBPassword 4 *(} SSLClientKeystoredb X|V8(D\?b}]bhC\k#dCN} SSLClientKeystash M SSLClientKeyStoreDBPassword %b#,1Z CLI d CD~r}]~qw}/LrdCD~P8(K SSLClientKeystash dCN} M SSLClientKeyStoreDBPassword dCN}1,a5Xms CLI0220E#rK, *I&XjIyZ$iDO$,(iv8(dP;vX|Vx;G,18(b =vX|V# DB2 .Net Data Provider &CLr hzTB=(,DB2 .Net Data Provider &CLrIk}]b(" SSL ,S: (}(e,SV{.N} SSLClientKeystoredb M SSLClientKeystash 48(M 'z\?}]b76M~XD~76#,SV{.9Xk|, Security=SSL# }g: String connectString = "Server=myhost:50001;Database=sampledb;Security=ssl; SSLClientKeystoredb=/home/test1/keystore/clientstore.kdb; SSLClientKeystash=/home/test1/keystore/clientstore.sth"; b y , g T B C# z k , N P y > , * k } ] b ( ",S , k + K connectString +]A DB2Connection 9l/}"9C DB2Connection Ts D Open =(4k connectString Pj6D}]b(",S: DB2Connection conn = new DB2Connection(connectString); Conn.Open(); Return conn; g{ SSLClientKeystoredb r SSLClientKeystash ,SV{.N}* NULL (4hC),G4,S+'\"5Xms SQL10013N(jG* GSKit Error: GSKit_return_code)# 2+WSVc (SSL) DB2 }]b53'V9C2+WSVc (SSL) 0dsL_+dc2+T(TLS),T9 M'z\;O$~qwM(}9CS\4a)M'zk~qw.dD(C(E#O$ G(};;}V$i44PD# ":1>wba= SSL 1,}GmP5w,qr,`,E"JCZ TLS# Z;PS\DivB,E"|(}xg1,_PCJ(DNNC'|D\'V\kW~# 2. ~qwTy!\kW~xPl&# 3. ~qw+|D}V$i"MAM'z# 4. M'zi$~qw$iDP'T,TCZO$?D#|I(}k"v~qw$iD IEO$PDxPKTr(}lkdT:D\?}]b4jIK=h# 5. M'zk~qw2+X-La0\?M{"O$zk(MAC)# 6. M'zk~qw9Cy!\?M MAC 42+X;;E"# ":DB2 }]b53;'V SSL UVZdTM'zxP(I!)O$# + SSL S\k DB2 O$dO9C IT+ SSL S\kng KERBEROS r SERVER .`D+?VP DB2 O$=(d O9C#z(}Z DBM dCN}P+5}DO$`MhC*y!O$=(4U#jI KNq# }V$iMO$PD }V$iIIE=(F*O$PD)"v,Ti$ngM'zr~qw.`D5eD m]# }V$iD9CP=v?D:i$yP_Dm]T09yP_D+C\?IC#$i "v1xPX9UZ,ZKUZ.s,|;YIO$PD(CA)#$# *Kq!}V$i,z+ks"MAy! CA,}g Verisign r RSA#Cks|(z D(P{F"+C\?M){#(P{F (DN) Gz*djk$iD?vC'rwzD (;j6#CA a9C+C\?lizD){"TzDm]4P3)6pDi$(bf CA D;,xd/)#Zi$.s,CA +Q){}V$i"Mxz,C}V$i|, zD(P{F"+C\?"C CA D(P{FT0CO$PDD){#z+KQ){$ if"Z\?}]bP# 1+K$i"MxSU=1,SU=a4PTB=v=h4i$zDm]: 1. 9Cf$ia)D+C\?4lizD}V){# 2. i$"v$iD CA GqO(RIE#*K,SU=h*C CA D+C\?#SU =I\Q+C CA D+C\?D\#$1>#tZd\?}]bP,+G,g{; P,G4SU=Xkmb!C}V$i4q!C CA D+C\?#K$iI\V@ 5Zm;v CA D}V$i;I\fZI`v CA "vD$iDcNa9,?v< @5ZB;vDP'T#+G,nU,SU=h*y CA D+C\?#y CA G; ZCcNa9%?D CA#*KENy CA D}V$iDP'T,+C\?C'X kT2+==SUC}V$i,}g,(}SQO$~qwBX"hzSUTIE 4D$0km~r9C2+;6DmL# +}V$i"MASU=Dm`&CLr";v"MdT:D$i,xR"Mi$$ icNa91Ay CA $iyXhD+? CA }V$i# *9}V$ij+IE,C}V$iDyP_XkQP8#$d(C\?,}g,( }ZdFczD2L}/wOTC}V$ixPS\#g{d(C\?Qp5,G4 0{%f_I\DCd}V$i# Z 1 B DB2 2+T#M 65 IT+T){}V$iCZbT?D#T){}V$i|,zD(P{F"+C\? M){# +C\?\ku SSL 9C+C\?c(4*O$;;S\\?E"M}V$iE"#+C\?\ku (2F*GTF\ku)9C=V;,DS\\?:CZS\}]D+C\?T0C ZTdxPb\DX*(C\?# 4.,TF\?\kuv9C;v\?,2+(EPf0DyPw=<2mC\?# K\?HCZTE"xPS\,2CZTE"xPb\#C\?Xk2+XV"xy Pw="Idf",b\Q#$#(}+C\?\ku,+C\?;#\,+G|S \D{";\(}9CdX*D(C\?4b\#(C\?Xk2+Xf"(}g, Z\?}]bP)rZFczD2L}/wOS\# vP+C\?c(;a#$(E2+,9h*Tkz(EDNNC'Dj6xPi $#*K4PKO$,SSL 9C}V$i#1+}V$i"MA3C'1,C$iar da)+C\?#zQ9C(C\?4T$ixP}V){,rK(EDSU=IT 9C+C\?4i$zD){#}V$i>mDP'TI"v|DO$PD(CA)# $# \'VD\kW~ Z SSL UVZd,M'zk~qw-LDv\kW~+C4;;}]#\kW~G; iC4a)O$"S\M}]j{TDc(# DB2 }]b539CT FIPS ==KPD GSKit 4a) SSL 'V#GSKit 'VBP \kW~: v TLS_RSA_WITH_AES_256_CBC_SHA v TLS_RSA_WITH_AES_128_CBC_SHA v TLS_RSA_WITH_3DES_EDE_CBC_SHA ?v\kW~D{F<8(|CZO$"S\M}]j{TliDc(#}g,\k W~ TLS_RSA_WITH_AES_256_CBC_SHA + RSA CZO$"+ AES 256 ;M CBC CwS\c(T0+ SHA-1 Cwli}]j{TD"P/}# Z SSL UVZd,DB2 }]b53T/!q,1\M'zM~qw'VDn?\kW ~#g{*~qwvS\;vr`vX(\kW~,G4IT+ ssl_cipherspecs dC N}hC*BPNN5: v TLS_RSA_WITH_AES_256_CBC_SHA v TLS_RSA_WITH_AES_128_CBC_SHA v TLS_RSA_WITH_3DES_EDE_CBC_SHA v TO}v5DNNiO#*hC`v5,kC:EVt?v5,+;*Zb)5. dtUq# v Null#ZKivB,aT/!qn?DICc(# ;\T!qDv\kW~xPEH6hC#g{hCK ssl_cipherspecs dCN},G 4 DB2 }]b53a!qn?DIC\kW~;K!q;!vZzZhC ssl_cipherspecs 18(\kW~D3r# 66 }]b2+T8O &sbM&mfr 1 DB2 for Linux, UNIX, and Windows &sh* GSKit D)&Lm~1,r_1h * GSKit D)&Lm~&s DB2 for Linux, UNIX, and Windows 1,Xkq-3) fr# bfr 1 DB2 for Linux, UNIX, and Windows &sh* GSKit D)&Lm~1,K)&L m~+a)k DB2 for Linux, UNIX, and Windows 4SDb#b)bXkq-3Vf r#KfrF*bfr# bfr:9CL{F /,0k GSKit b1,wC_Xk*0kw/}v+] GSKit bDy>D~{,x; +]76# }g,dlopen("libgsk8ssl_64.so", RTLD_NOW | RTLD_GLOBAL) }7,x dlopen("/ usr/opt/ibm/gsk8_64/lib/libgsk8ssl_64.so", RTLD_NOW | RTLD_GLOBAL) ;}7# &mfr 1h* GSKit D)&Lm~&s DB2 for Linux, UNIX, and Windows 1,)&Lm ~ak IBM }]~qwM'z4S#)&Lm~Xkq-3Vfr#KfrF*&m fr# &mfr:hC73Qw76 xLXkhC|*ZdPiR GSKit bD73Qw76#xLXk4PKhC,Tcy |(DbIS,;;C0k GSKit b# Z AIX O,xLIT+I4PD~D LIBPATH r RPATH hC* GSKit bD76# Z setuid M setgid ivB,xLIT9C db2chglibpath + GSKit DQw76|( ZI4PD~D RPATH P#;P4PKYw.s,E\9C;ZC;CD GSKit b# Z Linux"Sun M HP-UX O,xLIT+ LD_LIBRARY_PATH hC* GSKit bD 76#Z setuid M setgid ivB,xLIT9C db2chglibpath + GSKit DQw7 6|,Z IBM }]~qwM'zbD RPATH P#;P4PKYw.s,E\9C; ZC;CD GSKit b#}g,1xLh*Z~qw5}P9C+V GSKit,r_h*Z M'zr~qw5}P9C|T:DV? GSKit 1,|IT9C db2chglibpath 4|D RPATH# {E4S=(M^F 1zZ UNIX M Linux =(O20 DB2 for Linux, UNIX, and Windows 1,2a2 0V? GSKit b#b)b;Z /lib64/gskit_db2 r /lib32/gskit_db2# Z20 IBM Dd{z7Zd,I\a20 GSKit bDm;v1>#b)bI\GV? GSKit b,2I\G+V GSKit b,Sy20Dz7x(#1 DB2 for Linux, UNIX, and Windows M IBM a)Dm;v|( GSKit bDz7<20Z,;(zwO1, Z 1 B DB2 2+T#M 67 I\azz3)%YwTJb#r* GSKit vJmNN%vxLPfZ%v GSKit 4 PDb,yTI\azzb)%YwTJb#b)%YwTJbI\a/lib64/gskit r /lib32/gskit = /lib64/gskit_db2 r /lib32/gskit_db2 D{ E4S#K;CGSdP0k GSKit bD1!;C#CZ&s DB2 for Linux, UNIX, and Windows "|DSya=D1!?<= GSKit Dm;v1>Db?_P8r1!;CD{E4S,G4a# tkID201>`X*D{E4S#g{B20D1>_P;8r1!;CD{E 4S,G4Z|BD201>Pa9Ck|BD201>`X*D{E4S#IZ{ E4S /lib64/gskit r /lib32/gskit ;Z DB2 for Linux, UNIX, and Windows 201>D76P,rKfZ3)V^T#}g, g{*NN DB2 1>4(K=vr=vTOD5},G4{E4S|Da0lyP5 }# Z Solaris x64 O,DB2 for Linux, UNIX, and Windows =x|(D GSKit f>* 8.0.14.14 r 8.0.15.1# >} DB2 for Linux, UNIX, and Windows +&s LDAP M'z#DB2 for Linux, UNIX, and Windows xLq-&mfr#*q-&mfr,-I RPATH D73Qw76hC *d GSKit D>X1>#LDAP M'zb+S,;;C0k GSKit b#hC GSKIT_LOCAL_INSTALL_MODE 1,LDAP M'zb(|Gq-bfr)+4 GSKit bDy>D~{40k GSKit b# LDAP ~qw+&s DB2 for Linux, UNIX, and Windows#LDAP xLq-&mfr# 73Qw76hC* GSKit D+V1>,IBM }]~qwM'zb+S,;;C0k GSKit b#IBM }]~qwM'zb(|Gq-bfr)+4 GSKit bDy>D~{ 40k GSKit b# GSKit 5Xk ;) DB2 }]b\mw{"I\aT> IBM Global Security Kit (GSKit) D5Xk# #f GSKit 5Xk m 2. GSKit #f5Xk 5 X k ( . y x F) 5Xk(. xF) #? 5w 0x00000000 0 GSK_OK NqQI&jI#Q(}?vI& jID/}wC"v# 0x00000001 1 GSK_INVALID_HANDLE 73r SSL dz^'#y8(dz ;GI& open /}wCDa{# 0x00000002 2 GSK_API_NOT_AVAILABLE /,4Sb(DLL)Q6X,;I C#(vTZ Windows#) 68 }]b2+T8O m 2. GSKit #f5Xk (x) 5 X k ( . y x F) 5Xk(. xF) #? 5w 0x00000003 3 GSK_INTERNAL_ERROR Z?ms#r~q(fKms# 0x00000004 4 GSK_INSUFFICIENT_STORAGE ;Pc;ZfCZ4PYw# 0x00000005 5 GSK_INVALID_STATE dzD4,TZYw^',}g, T3vdz4Puz DB2 2 +TdO9C1,|akTs?~2_'X#$}]M}]b&CLr# Database Encryption Expert PzZi/7#Z{Ou}M"(z9(nD,1T(CM z\}]xP?#$#Database Encryption Expert Dw*EcgB: v TZ DB2 }]b53,_PIlD_}]2+T v #$51D~"dCD~"U>D~M8]}] v T&CLr"}]bMf"738w v CZZ*z73MQz73P#$}]D_TM\?\m3; v zcT\*s Database Encryption Expert 9z\;TQz}]b8]xPS\T0T*z(“51”) }]bD~xPS\#bGELO}]DS\,`T(}xg+dD“/,}]”x T,b`}]P1F*“2,}]”# Z 1 B DB2 2+T#M 77 v TZ8],}]DS\==k|8]1D`,,rK,8]h8OD}]QS\# *GC}]h*V4,V4~qwMa6pC}]QS\"+TdxPb\# v TZ}]bD~,|, DB2 }]bP}]DYw53}]D~QS\#ba@9" TA!“-<”}]bD~D4Z(C'Tb)}]D~xPCJ# Database Encryption Expert TC'"}]b"&CLrMf"w8w#;h*TVPy !a9xPNNzk|Drd{|D#Database Encryption Expert IT#$NNf"7 3PD}],xC'LxTH0D==T}]xPCJ# Database Encryption Expert IT#$}]b&CLr,r*|IT@9TI4PD~" dCD~T0b.`DTsxP|D,Sx@9T&CLrD%w# ":;\Z DB2 pureScale®73P9C Database Encryption Expert# Database Encryption Expert De5a9 Database Encryption Expert G;izmLrM~qwm~|,(}9CyZ Web DC 'gfM|nP5CLr4\m#Database Encryption Expert \m1dCCZXFgN 5V2+TMS\D2+_T# y](eb)2+_TD==,Database Encryption Expert 8]zmLraT DB2 8 ]xPS\,x Database Encryption Expert D~53zmLrrT DB2 }]D~x PS\# Encryption Expert Security Server af"2+_T"S\\?MB~U>D~#2+_ T|,}i2+fr,Xkzcb)frE\Jmr\xCJ#?u2+frD~Z]#}g,8]\mwITZ^(i4Z]DivBTX( }]xP8]# g{QS\D~I4Z(C'CJ,G4Z1Y`& Security Server Kz}]b9u#}mP;v|nPTd?.b,DB2 8]Yw 1;ab6= Database Encryption Expert I$#Database Encryption Expert a8]M 4-2,}]T0n/D*z}]# y>D8]M4-dC\'V#Zy>dCP,}](};v~qwM`vzmLr xPS\M8];}]Db\M4-G(}TH0C4zI8]D~qwdCDzm Lr4jID# TZ8]M4-,%>cM`>cdC2\'V#Z%>c=8P,dC}](}% v}]PDP`v Security Server xP5q#Z`>c=8P,8]GZ;,}]PD P;, Encryption Expert ~qwO4-D# sFU>G< (}/P=sFG<$_,at\`SMG< Database Encryption Expert zmLrn /#ITG: 1. Z53OtC EFS# 2. *C4KP DB2 }]bX$LrDC'J'0k\?b# 3. Z}]bD~53OtC EFS# 4. 7(*S\DYw53D~# 5. T|,h* EFS #$D}]bmDD~xPS\# Z53OtC EFS ZtC EFS .0,Xk20 clic.rte D~/#IZ)9| CD OR= clic.rte 2 03q# 80 }]b2+T8O T root C'm]KPBfD|n4Z53OtC EFS: % efsenable -a vh*KP efsenable |n;N# 0k\?b ZBPdC>}P,C4KP DB2 }]bX$LrDC'J'F* abst#C' abst X k_P\?b,"R abst ytDNNi2Xk_P\?b# 1. Zt/ DB2 X$Lr.0,yP\?b}Py>: # lsuser abst abst id=203 pgrp=abstgp groups=abstgp,staff ... # efskeymgr -V List of keys loaded in the current process: Key #0: Kind ..................... User key Id (uid / gid) ......... 203 Type ..................... Private key Algorithm ................ RSA_1024 Validity ................. Key is valid Fingerprint .............. 24c88df2:d91cb6a2:c3e11b6a:4c13f8b4:666fabd8 Key #1: Kind ..................... Group key Id (uid / gid) ......... 1 Type ..................... Private key Algorithm ................ RSA_1024 Validity ................. Key is valid Fingerprint .............. 03fead42:57e7646e:a1715626:cfa56c8e:8abed1c1 Key #2: Kind ..................... Group key Id (uid / gid) ......... 212 Type ..................... Private key Algorithm ................ RSA_1024 Validity ................. Key is valid Fingerprint .............. 339dfb19:bc850f4c:5551c975:7fe4961b:2dddf3bc 2. g{;PNN\?bT>*k abst xL`X*,G4"T9CTB|n40k\? b:% efskeymgr -o ksh K|naa>C'a)\?b\k,C\knuhC*G<\k# 3. (}XBKPTB|n47OC'Mi\?GqQ0k:% efskeymgr -V &CaP>C'Mi\?#g{T;;PP>i\?b,kLx4P=h 4# Z 1 B DB2 2+T#M 81 4. y]4(iD==D;,,i\?bI\;fZ#g{ efskeymgr -V |n;PP> C'Di\?b,G4Xk4(i\?b# kT root C'r RBAC G+ aix.efs_admin m]4(i\?b: % efskeymgr -C group_name 5. +i\?bCJ(8(x?vOJDC': % efskeymgr -k group /group_name -s user/user_name g{C'QG<,G4{G+;a"4Ti\?b_PCJ(,{G&C9C efskeymgr -o ksh |n4XB0kd\?b,r_XBG<# Z}]bD~53OtC EFS EFS vZ JFS2 D~53OKP,RXk(EtC# g{}]b;ZVPD~53O,kKP % chfs -a efs=yes filesystem |n4tC EFS,}g: % chfs -a efs=yes /test01 g{Z4(BDD~53,G4IT(}+ smit |nr crfs |nk -a efs=yes ! ndO9C4tC EFS#}g: % crfs -v jfs2 -a efs=yes -m mount_point -d devide -A yes VZ,EFS ZD~53OQtC+4r*#kv*h*S\}]DX(}]bmr* EFS#PX|`E",kNDXZ efsmgr |nMLPD AIX EFS D5# 7(*S\DD~ *K7(|,*9C EFS S\4#$DX(}]bmDD~,kq-+ EMPLOYEE m Cw>}Db)=h# 1. 9C`FZTB>}Di/4iRmD TBSPACEID: SELECT TABNAME, TBSPACEID FROM syscat.tables WHERE tabname=’EMPLOYEE’ Y(Ki/Da{gBy>: TABNAME TBSPACEID EMPLOYEE 2 2. 9C`FZBfD>}Di/4ZmUdPiRC TBSPACEID: LIST TABLESPACE CONTAINERS FOR 2 Y(Ki/Da{gBy>: ]wj6 {F `M 0 /test01/abst/NODE0000/BAR/T0000002/C0000000.LRG D~ VZ,z*@KmUd|,ZF* /test01/abst/NODE0000/BAR/T0000002/ C0000000.LRG DYw53D~P#bGh*S\DD~# 82 }]b2+T8O S\D~ WH,k4T}]r}]bxPNNXs|D.0DYw48]}]b# q-BP=hTS\D~: 1. P>D~,}g: # ls -U /test01/abst/NODE0000/BAR/T0000002/C0000000.LRG -rw-------- 1 abst abstgp 33554432 Jul 30 18:01 /test01/abst/NODE0000/BAR/T0000002/C0000000.LRG 2. 9C efsmgr |n4TD~xPS\,}g: # efsmgr -e /test01/abst/NODE0000/BAR/T0000002/C0000000.LRG g{YNP>CD~,G4mI(V{.)2+vV“e”,|8vCD~QS\# }g: # ls -U /test01/abst/NODE0000/BAR/T0000002/C0000000.LRG -rw-------e 1 abst abstgp 33554432 Jul 30 18:03 /test01/abst/NODE0000/BAR/T0000002/C0000000.LRG 3. 4}#==t/"9C DB2 }]b\mw#ZWcD~53P,mSA EMPLOYEE mMKS\mUdDyP}]<+I EFS xPS\#?1lw=}]1,<+(} DB2 }]b\mw4}#==b\"T>C}]# sF DB2 n/ DB2 sFh)ri *\mTtP}]DCJ,IT9CwVO$MCJXFzF4TIS\D}]CJ ("frMXF#+*@94*r;IS\DP*T0*"Vb`P*,I(}9C DB2 sFh)4`S}]CJ# I&`S;h*D}]CJMsxVv,IDFT}]CJDXF,"nU@9T} ]DqbD4Z(CJrr*VDxD~P#Tb)Ga6p53sCD 9C#=#;)6p,MI4PYw4uYr{}b`53sC# sFh)a)Z5}6pM%v}]b6pxPsFD&\,"T?vn/9C;, U>@"XGT0SN;`MDQi5U >Pi!sF}]# 2+T\m1(Z}]bZ5P SECADM (^)I+sF_Tk SQL od AUDIT dO9C,TdC"XF%v}]bDsF*s#2+T\m1IT9CBPsF} L44P8(DNq: v SYSPROC.AUDIT_ARCHIVE f"}LTsFU>xPi5# v SYSPROC.AUDIT_LIST_LOGS m/}JmziRX"DU># Z 1 B DB2 2+T#M 83 v SYSPROC.AUDIT_DELIM_EXTRACT f"}L+}]i!=(gD~P,TcxP Vv# 2+T\m1IT+Tb)}LD EXECUTE X(Zhm;vC',rKZh*192 +T\m1\;/Ib)Nq# 1ZVx}]b73P$w1,m`IsFDB~+ZkC',SD}]bVx(- wLrVx)r?PzIsFG<#*KZ}]b6pOt/sF,WH h*4(sF_T,;s9KsF_Tk*`SDTs(gZ(j6"}]b(^" IEOBDrX(m)`X*# sFG1azIG<# v (^li (CHECKING)#TCJrY] DB2 }]bTsr/}D"TxP(^li ZdazIG<# v Ts,$ (OBJMAINT)#14(r>}}]TsT0Dd3)Ts1azIG<# v 2+,$ (SECMAINT)#ZBPivBazIG<: – Zhr7zTsX(r}]b(^ – Zhr7z2+jErb}( – Ddi(^"G+(^r_2Gr^F LBAC 2+_TDtT – Zhr7z SETSESSIONUSER X( – ^ D B P N ; d C N } : SYSADM_GROUP" SYSCTRL_GROUP" SYSMAINT_GROUP r SYSMON_GROUP# v 53\m (SYSADMIN)#14Ph* SYSADM"SYSMAINT r SYSCTRL (^D Yw1azIG<# v C'i$ (VALIDATE)#1O$C'rlw532+TE"1azIG<# v YwOBD (CONTEXT)#14P}]bYw1,zIGCYwOBD#K `pJmTsFU>D~xP|CDbM#1kCU>DB~`XrSVNdO9 C1,I+;iB~XBk%v}]bYwX*#}g,/,i/Di/od"2 ,i/DLr|j6rI4PDYw`MD8>{(g CONNECT)yIa)Vvs Fa{1yhDOBD# ":a)CYwOBDD SQL r XQuery odI\\$,"IZ CONTEXT G< Zj+T>#bI\9 CONTEXT GDNN`p,zITsF'\DYwM/rI&DYw# Z}]b~qwO4PDNNYwI\zI8vG<#sFU>PzID5JG<} ?!vZsFh)dCy8(D*G&sFd{`p`gK# v IEOBD y]sF_T,+sFIX(IEOBD(eDIE,SZ"zDyPIsFB ~# v m>C'"irG+DZ(j6 y]sF_T,+sFI8(C't/DyPIsFB~# y]sF_T,+sFw*irG+I1DC'yt/DyPIsFB~#9|( dSG+I1Jq,}g,(}d{G+ri# (}*;vi(e$w:X"6qn/j8E",IT9C“$w:X\m”B~` Sw46q`F}]#z&CKb,A$w:XD3d;vvf0Z(j6,9I \f0d{tT,bI\a9z^(qCh*DsF#H,r_Z^DKb)d{ tT1,,SI\a3dA;,(I\G4`SD)$w:X#sFbv=8#$ sFC'"irG+# v (^(SYSADM"SECADM"DBADM"SQLADM"WLMADM"ACCESSCTRL" DATAACCESS"SYSCTRL"SYSMAINT M SYSMON) y]sF_T,+sFI5P8((^DC't/DyPIsFB~,49C(^ TB~45;GXhD,iv`gK# 2+T\m1IT4(`vsF_T#}g,zyZD+>I\h*;v_T4sF tP}],"h*;v_T4sF5P DBADM (^DC'Dn/#g{`vsF_ TT;vodP',G4+sF?vsF_T*ssFDyPB~(+;sF; N)#}g,g{}]bDsF_T*ssFX(mDI& EXECUTE B~,"RC' DsF_T*ssF,;vmD'\ EXECUTE B~,G4+sFCJCm1DI&M '\"T# Z 1 B DB2 2+T#M 85 TZX(Ts,;\P;vsF_TP'#}g,;\,1P`vsF_Tk,;v mX*# sF_T;\kS}sF_T,2+T\m1IT9C DROP od#;\>}kNNTsX*DsF _T#9C AUDIT REMOVE od}%kTsDNNd`X*#*+*}]mSAs F_T,2+T\m1IT9C COMMENT od# Z("j+,S.0zIDB~ TZZ4P,SMP;C'YwZdzID;)B~,(;ICDsF_TE"Gk }]bX*D_T#BmPT>Kb)B~: m 4. ,SB~ B~ sF`p "M CONNECT CONTEXT CONNECT_RESET CONTEXT AUTHENTICATION VALIDATE b|(ZIE,SZ,SMP;C'ZdDO $# CHECKING_FUNC CHECKING "TDCJG SWITCH_USER# +;y]k}]bX*DsF_TsFb)B~,x;9CkNNd{Ts(}g, C'"C'ir(^)X*DsF_TxPsF#TZZ,SZd"zD CONNECT M AUTHENTICATION B~,+9C5}6psFhC,1=}]b;$n*9#}]b ZZ;N,SZdr"v ACTIVATE DATABASE |n1;$n# 86 }]b2+T8O P;C'D0l g{ZIE,SZP;C',G4;atB-}DG+rIEOBDk sF_TX*) AUDIT @<= SQL odZ9C1_P;)^F: v ?vodsfXkzP COMMIT r ROLLBACK# v ;\Z+VBqZ"vb)od,}g,XA Bq# yPVxP;N;JmP;v4d5D AUDIT @<= DDL od#g{4d5D AUDIT @<= DDL od}Z4P,G4sx AUDIT @<= DDL od+H},1 =10 AUDIT @<= DDL odd5rXv*9# ":|D+4k?<,+*Zd5sEz',49TZ"vCodD,S`gK# sFTX(mDNNCJD>} k,d EMPLOYEE m|,G#tPDE","RC+>#{sFT CmPD}]DNNMyP SQL CJ#IT9C EXECUTE `p4zYTmDyPC J;C`psF SQL od,"IT!qsFZ4P1*Coda)Ddk}]5# zYCmODn/h*4P=v=h#WH,2+T\m14(;v8( EXECUTE ` pDsF_T,;s2+T\m1+C_TkmX*: CREATE AUDIT POLICY SENSITIVEDATAPOLICY CATEGORIES EXECUTE STATUS BOTH ERROR TYPE AUDIT COMMIT AUDIT TABLE EMPLOYEE USING POLICY SENSITIVEDATAPOLICY COMMIT sF SYSADM r DBADM 4PDNNYwD>} *KjI2+Oq$i,;R+>Xkmw\;`S}]bZI5P53\m (SYSADM) r}]b\m (DBADM) (^DG)K4PDNNMyPn/# *6q}]bZDyPYw,&sF EXECUTE M SYSADMIN `p#2+T\m1 4(;vsFb=V`pDsF_T#2+T\m1IT9C AUDIT od+KsF_ Z 1 B DB2 2+T#M 87 Tk SYSADM M DBADM (^X*#;s,5P SYSADM r DBADM (^DN NC'+G}T>gN4(bVsF_T"+|k SYSADM M DBADM (^X*: CREATE AUDIT POLICY ADMINSPOLICY CATEGORIES EXECUTE STATUS BOTH, SYSADMIN STATUS BOTH ERROR TYPE AUDIT COMMIT AUDIT SYSADM, DBADM USING POLICY ADMINSPOLICY COMMIT sFX(G+4PDNNCJD>} ;R+>JmTds5}]bxP Web &CLrCJ#9C Web &CLrD7Pv K4*#;*@9CDG+,CG+CZ\m}]b(^#C+>#{`Sw*CG +I1DNNKDYw,Tcli{Ga;x}]bDks"7#{G;(} Web & CLrCJ}]b# EXECUTE `p|,zYbVivBDC'n/yhDsF6p#Z;=G4(J1D sF_T"+|k Web &CLry9CDG+X*(Z>>}P,G+* TELLER M CLERK): CREATE AUDIT POLICY WEBAPPPOLICY CATEGORIES EXECUTE WITH DATA STATUS BOTH ERROR TYPE AUDIT COMMIT AUDIT ROLE TELLER, ROLE CLERK USING POLICY WEBAPPPOLICY COMMIT T}]btCsFD>} 3v+>k*7(-ZT{* SAMPLE D}]bxP DDL |D(>}:ALTER TABLE)# CONNECT TO SAMPLE CREATE AUDIT POLICY ALTPOLICY CATEGORIES AUDIT STATUS BOTH, OBJMAINT STATUS BOTH, CHECKING STATUS BOTH, EXECUTE STATUS BOTH, ERROR TYPE NORMAL AUDIT DATABASE USING POLICY ALTPOLICY f"MVvsFU> i5sFU>a+n/sFU>FA;vi5?<,x~qw*<4kBDn/sF U>#Ts,ITSi5U>+}]i!=(gD~P,;sSb)D~+}]0k = DB2 }]bmP,TcxPVv# (}dCsFU>D;C,IT+sFU>ECZ;vOsD_YELP,"IT! qTVx}]b73PD?vI19C;,DEL#ZVx}]b73P,n/sF U>D76ITGT?vI1(;D?<#9?vI1_P(;?D1!76* instance\security\auditdata,x Z Linux M UNIX Yw53O* instance/security/auditdata#g{;k9C1! ;C,G4IT!q;,D?<(g{;fZ8C;C,ITZ53O4(B?;CMQi5sFU>;CD76,k9Cx P datapath M archivepath N}D db2audit configure |n,gTB>}Py>: db2audit configure datapath /auditlog archivepath /auditarchive 88 }]b2+T8O 9C db2audit hCDsFU>f";CJCZ5}PDyP}]b# ":g{~qwOP`v5},G4?v5}<&CP;,D}]Mi576# Vx}]b73PDn/sFU>D76 (datapath) ZVx}]b73P,XkZ?vVxO9C`,Dn/sFU>;C(I datapath N }hC)#I9C=V=(45VK?D: 1. 8(K datapath N}1,9C}]bVxmo=#9C}]bVxmo=Jm+V xE|(ZsFU>D~D76P,"+a{|(Z?v}]bVxOD;,76 P# 2. 9CZyPI1O`,D2m}/w# ITZT datapath N}8(D5PDNN;C9C}]bVxmo=#}g,ZI} vI1iID53O(dP}]bVxE* 10),TB|n: db2audit configure datapath ’/pathForNode $N’ +9CTB76: v /pathForNode10 v /pathForNode20 v /pathForNode30 ":;\9C}]bVxmo=48(i5U>D~76(archivepath N})# i5n/sFU> 53\m1IT9C db2audit $_4i55}M}]bsFU>T0SN;`MDQ i5U>Pi!sF}]# 2+T\m1r2+T\m1QrdZhTsF}LD EXECUTE X(DC',IT( }KP SYSPROC.AUDIT_ARCHIVE f"}L4i5n/sFU>#*SU>Pi! }]"+C}]0k=(gD~P,{GIT9C SYSPROC.AUDIT_DELIM_EXTRACT f"}L# TBG9CsF}L4i5Mi!sFU>D=h: 1. wH&CLrT9Cf"}L SYSPROC.AUDIT_ARCHIVE 44Pn/sFU>D #fi5# 2. 7(PK$DQi5U>D~#9C SYSPROC.AUDIT_LIST_LOGS m/}4P> yPQi5sFU># 3. +D~{w*N}+]x SYSPROC.AUDIT_DELIM_EXTRACT f"}LTSU> Pi!}]"+|G0k=(gD~P# 4. +sF}]0k= DB2 }]bmPTxPVv# ;h*"4+Qi5U>D~0k=mPTxPVv;IT#f|GTZ+4Vv# }g,I\;h*ZxP+>sF1i4b)D~# g{i5ZdvVJb(}g,Cji576PDELUd,r_i576;f Z),G4i5xL+'\"RZsFU>}]76PzID~)9{* .bk DY1U >D~,}g,db2audit.instance.log.0.20070508172043640941.bk#ZbvJbs ((}Zi576PVdc;`DELUd,r_(}4(i576),Xk+KY Z 1 B DB2 2+T#M 89 1U>FAi576#;s,ITqT}I&i5DU>;yT}CU># ZVx}]b73Pi5n/sFU> ZVx}]b73P,g{Z5}}ZKP1"vi5|n,G4i5xL+T/Z ?vI1OKP#yPI1ODQi5U>D~{P<9C`,D1dAG#}g, ZI}vI1iID53O(dP}]bVxE* 10),TB|n: db2audit archive to /auditarchive +4(BPD~: v /auditarchive/db2audit.log.10.timestamp v /auditarchive/db2audit.log.20.timestamp v /auditarchive/db2audit.log.30.timestamp g{Z5}4KP1"vi5|n,G4IT(}BPdP;V=(XFi5|nZ DvI1OKP: v + node !nk db2audit |ndO9CTvT10I14Pi5|n# v 9C db2_all |nTyPI1KPi5# }g: db2_all db2audit archive node to /auditarchive b+hC DB2NODE 73d?T8>ZdOwCC|nDI1# r_,I%@T?vI1"v;vi5|n#}g: v ZI1 10 O: db2audit archive node 10 to /auditarchive v ZI1 20 O: db2audit archive node 20 to /auditarchive v ZI1 30 O: db2audit archive node 30 to /auditarchive ":15}4ZKP1,?vI1ODQi5sFU>D~{PD1dAG;,# ":(iZyPI1d2mi576,+b;GXhD# ":AUDIT_DELIM_EXTRACT f"}LM AUDIT_LIST_LOGS m/};\CJS1 0(-wLr)I1ISDQi5U>D~# i5U>"+}]i!=mPD>} ;R+>*K7#\;6q"f"dsFU>T)+49C,h*?yv!14(; vBDsFU>"+10sFU>i5= WORM }/wP#C+>2E2+T\m1 rX(C'(2+T\m1QrCC'ZhT AUDIT_ARCHIVE f"}LD EXECUTE X()? 6 !1r SYSPROC.AUDIT_ARCHIVE f"}L"vBPwC;N#Qi5 U>D76G1!i576 /auditarchive,"Ri5|nZyPI1OKP: CALL SYSPROC.AUDIT_ARCHIVE( ’/auditarchive’, -2 ) 90 }]b2+T8O w*2+}LD;?V,C+>j6"(eK;(}?DIIP*r;JmDn/, h*ZsF}]P`Sb)P*rn/#{G#{i!;vr`vsFU>PDyP }],+b)}]ECZX5mP,;s9C SQL i/4iRb)n/#C+>Q7 (*sFDJ1`p,"9XhDsF_Tk}]brd{}]bTsX*# }g,{GITwC SYSPROC.AUDIT_DELIM_EXTRACT f"}L4SyPI1Pi !yP`pDQi5sFU>,b)sFU>G9C1!(g{M1dAG 2006 j 4 B4(D: CALL SYSPROC.AUDIT_DELIM_EXTRACT( ’’, ’’, ’/auditarchive’, ’db2audit.%.200604%’, ’’ ) Zm;v>}P,{GITwC SYSPROC.AUDIT_DELIM_EXTRACT f"}L4S EXECUTE `pPi!I&B~DQi5sFG<"S CHECKING `pPi!'\B ~DQi5sFG<,"S_PPK$D1dAGDD~Pi!Qi5sFG<: CALL SYSPROC.AUDIT_DELIM_EXTRACT( ’’, ’’, ’/auditarchive’, ’db2audit.%.20060419034937’, ’category execute status success, checking status failure ); sFU>D~{: sFU>D~D{FIxV|GG5}6p9G}]b6pU>,"j6|G4TV x}]b73PDDvVx#Qi5sFU>DD~{sf7SKKPi5|nD1 dAG# n/sFU>D~{ ZVx}]b73P,n/sFU>D76ITGT?vVx(;D?<,Tc?v Vx4kwTDD~#*K<7zY-D~{ P#}g,ZVx 20 O,5}6psFU>D~{* db2audit.instance.log.20#T ZK5}P{* testdb D}]b,sFU>D~* db2audit.db.testdb.log.20# ZGVx}]b73P,VxE+S* 0(c)#ZKivB,5}6psFU>D~ {* db2audit.instance.log.0#TZK5}P{* testdb D}]b,sFU>D~* db2audit.db.testdb.log.0# Qi5sFU>D~{ n/sFU>ZxPi5.s,dD~{sf+7STBq=D101dAG: YYYYMMDDHHMMSS(dP YYYY Gj],MM GB],DD GU,HH G!1,MM GVS,x SS Gk)# i5sFU>DD~{q=!vZsFU>D6p: 5}6pQi5sFU> 5 } 6 p Q i 5 s F U > D D ~ { * db2audit.instance.log.partition.YYYYMMDDHHMMSS# }]b6pQi5sFU> } ] b 6 p Q i 5 s F U > D D ~ { * db2audit.dbdatabase.log.partition.YYYYMMDDHHMMSS# ZGVx}]b73P,partition D5* 0(c)# Z 1 B DB2 2+T#M 91 1dAGm>KPi5|nD1d,rK|"G\G<7X43U>Pns;uG< D1d#Qi5sFU>D~I\|,;)G<,|GD1dAGHU>D~{PD 1dAG*m8kS,bGr*: v Z"vi5|n1,sFh)+H=4kNNxLZG D~# v Z`zw73P,6LzwOD531dI\k"vi5|nDzwOD531d ;,=# ZVx}]b73P,g{KPi5|n1~qw}ZKP,G41dAGZwvV xP;B"43KZ4Pi5|nDVxPzID1dAG# 4(m4]I DB2 sF}]: 9C}]bmPDsF}].0,h*4(m4]I}]#&wb4hvgN4(mUd#) ":*4(C4]IsF}]DmDq=Z?v"PfPI\<;,#I\mSKB P,r_VPPDs!I\Dd#E> db2audit.ddl 4(}7q=Dm4|,sFG <# XZKNq BP>}5wgN4(m4]I(gD~PDG<#g{8b,IT4(%@#=4 |,b)m# g{;k9Cb)D~P|,DyP}],G4ITvTm(ePDPry]h*; 4(3)m#g{vTm(eDP,G4Xk^D+}]0kb)myCD|n# }L 1. "v db2 |nr* DB2 |n0Z# 2. I!: 4(#=4]Im# TZK>},#={* AUDIT: CREATE SCHEMA AUDIT 3. I!: g{4(K AUDIT #=,G4Z4(NNm.0P;AC#=: SET CURRENT SCHEMA = ’AUDIT’ 4. KPE> db2audit.ddl T4(+|,sFG db2audit.ddl ;Z sqllib/misc ?<(Z Windows O* sqllib\misc)P# CE>Y(}]b,SQfZ"R 8K mUdIC#CZKPCE>D|n*:db2 +o -tf sqllib/misc/db2audit.ddl# C E > 4 ( D m P : AUDIT"CHECKING"OBJMAINT"SECMAINT"SYSADMIN"VALIDATE" CON- TEXT M EXECUTE# 92 }]b2+T8O 5. 4(ms,2+T\m1IT9C SYSPROC.AUDIT_DELIM_EXTRACT f"}L r53\m1IT9C db2audit extract |n+Qi5sFU>D~PDsFG< i!=(gD~P# IT+b)(gD~PDsF}]0k=UU4(D}]bm P# + DB2 sF}]0kmP: ZQi5sFU>D~"+|i!=(gD~P,"R4(K}]bm4#fsF} ]s,IT+(gD~PDsF}]0k}]bmPTxPVv# XZKNq 9C0k5CLr+sF}]0kmP#T?vm"v%@D0k|n#g{vTm (ePD;vr`vP,G4Xk^D9CD LOAD |nf>E\I&0k}]#Kb, g{Zi!sF}]18(K}1!5bD(gV{,G49Xk^D9CD LOAD | nDf># }L 1. "v db2 |nr* DB2 |n0Z# 2. *0k AUDIT m,k"vBP|n: LOAD FROM audit.del OF DEL MODIFIED BY DELPRIORITYCHAR LOBSINFILE INSERT INTO schema.AUDIT ":8( DELPRIORITYCHAR ^N{T7#}7bv~xF}]# ":8( LOAD |nD LOBSINFILE !n(IZ_PD^F,sTsDNN1Se k}]Xk^Z 32K)#Z3)ivB,9I\h*9C LOBS FROM !n# ":8(D~{1,k9Cj<76{#}g,g{+ DB2 }]b5320Z Windows Yw53D C: LO,G4&8( C:\Program Files\IBM\SQLLIB\ instance\security\audit.del w* audit.del D~Dj<76{# 3. *0k CHECKING m,k"vBP|n: LOAD FROM checking.del OF DEL MODIFIED BY DELPRIORITYCHAR LOBSINFILE INSERT INTO schema.CHECKING 4. *0k OBJMAINT m,k"vBP|n: LOAD FROM objmaint.del OF DEL MODIFIED BY DELPRIORITYCHAR LOBSINFILE INSERT INTO schema.OBJMAINT 5. *0k SECMAINT m,k"vBP|n: LOAD FROM secmaint.del OF DEL MODIFIED BY DELPRIORITYCHAR LOBSINFILE INSERT INTO schema.SECMAINT 6. *0k SYSADMIN m,k"vBP|n: LOAD FROM sysadmin.del OF DEL MODIFIED BY DELPRIORITYCHAR LOBSINFILE INSERT INTO schema.SYSADMIN 7. *0k VALIDATE m,k"vBP|n: LOAD FROM validate.del OF DEL MODIFIED BY DELPRIORITYCHAR LOBSINFILE INSERT INTO schema.VALIDATE 8. *0k CONTEXT m,k"vBP|n: LOAD FROM context.del OF DEL MODIFIED BY DELPRIORITYCHAR LOBSINFILE INSERT INTO schema.CONTEXT Z 1 B DB2 2+T#M 93 9. *0k EXECUTE m,k"vBP|n: LOAD FROM execute.del OF DEL MODIFIED BY DELPRIORITYCHAR LOBSINFILE INSERT INTO schema.EXECUTE 10. +}]0km.s,S sqllib ?} .del D ~# 11. +sF}]0km.s,zMITSb)mP!q}]TxPVv# B;=v24 g{uNndm.s*YN4PKYw,r9C INSERT !n+BDm}]mSAVP m}]#g{*SmP}%T0 db2audit extract YwDG<,G49C REPLACE ! nYN0km# sFi5Mi!f"}L: 2+T\m1IT9C SYSPROC.AUDIT_ARCHIVE f"}L0m/}" SYSPROC.AUDIT_DELIM_EXTRACT f"}LM SYSPROC.AUDIT_LIST_LOGS m/ }4i5sFU>"+}]i!=(gD~P# 2+T\m1IT(}+Tb)}LD EXECUTE X(Zhm;vC'+b)}LD9 C(/PxCC'#;P2+T\m1E\ZhTb)}LD EXECUTE X(#TZb )}L,;\Zh EXECUTE X( WITH GRANT OPTION(SQLSTATE 42501)# Xk,S=}]b,E\9Cb)f"}LMm/}4i5rP>C}]bDsFU ># g{+Qi5DD~4F=m;v}]b53,"R*9Cf"}LMm/}4T| GxPCJ,k7#}]b{F`,,r_X|{D~T|(`,D}]b{F# b)f"}LMm/};ai5rP>5}6psFU>#53\m1Xk9C db2audit |n4i5Mi!5}6psFU># IT9Cb)f"}LMm/}44PBPYw: m 5. sF53f"}LMm/} f"}LMm/} Yw"M AUDIT_ARCHIVE i510sFU># +i576Cwdk#g{4a )i576,G4Kf"}LI CsFdCD~PDi576# +Z?vI1OKPi5|n, "R+,=D1dAG7SAs FU>D~{# AUDIT_LIST_LOGS Z8(76P5X10}]b DQi5sFU>Pm# 94 }]b2+T8O m 5. sF53f"}LMm/} (x) f"}LMm/} Yw"M AUDIT_ DELIM_EXTRACT S~xFQi5U>Pi!} ]"+|G0k=(gD~ P# 9CJO0k= DB2 }]bmP D ( g q = # f i ! D s FG <#dv+EZ%@DD~P, ?V`p;vD~#Kb,+4 (D~ auditlobs,T#fsF} ]P|,DNNsTs#D~{ *: v audit.del v checking.del v objmaint.del v secmaint.del v sysadmin.del v validate.del v context.del v execute.del v auditlobs g{b)D~QfZ,G4dv +7S=b)D~P#g{i! CONTEXT r EXECUTE `p, G4+4( auditlobs D~#;\ i!10}]bDQi5sFU >#vi!-wLrI1ISD G)D~# ;P5}yP_IT>}Qi5 DsFU># CZsF SQL odD EXECUTE `p EXECUTE `pJmz<7XzYC'"vD SQL od#Z V9.5 M|M"PfP, Xk9C CONTEXT `p4iRKE"# w*j{2+_TD;?V,+>IT*sX]tIj"VvT3)}]bm"vD NNX(ksD0lD&\#*K,C+>XkF);n_T,*s?\D~,Tc{GIT01XBiINNy!1LD}]b#9h*6q c;`DXZT}]b"vD?vksD}]bsFE",TcJmZ+4NN1d T0+4XECodyhD`k73Md{5# }g,XEodITrz<7XT> SELECT od5XDP#*XBKPod,WHX k+}]bm4-="vCod1|Gy&D4,# 9C EXECUTE `pxPsF1,fEG#I9Cdk5r;9Cdk5dC*sFD EXECUTE `p# ":;sF+Vd?# Z 1 B DB2 2+T#M 95 T EXECUTE B~DsFZCB~jI1xP(TZ SELECT od,sFZNjXU 1xP)#9af"B~jI1D4,#r* EXECUTE B~GZjI1sFD,yT $ZKPDi/;a"4vVZsFU>P# ":$`kod;S*4PD;?V#s`}Z(li`v5#TZ(gD~q=,+9C`P#Z ;PDB~`M* STATEMENT "R;P5#fsDPDB~`M* DATA,dP; Pm>k SQL odX*D?v}]5#IT9CB~`XrSM&CLrj6VN+ STATEMENT M DATA P4SZ;p#“odD>”"“odtk6p”M“`k73hv ”P;vVZ DATA B~P# +sF}DodD>Mdk}]5f"ZELO1,|Ga*;=}]bzk3P (yPsF}DVN,yT_P;,zk3D}]b;azzJb# ROLLBACK M COMMIT Z&CLr4P|G1xPsF,"RZm;v|n(g BIND)P~="v ROLLBACK M COMMIT 12aT|GxPsF# ZIZCJQsFDmxsFK EXECUTE B~s,+sF0l$w%*P4PD)d {odDyPod#b)odG COMMIT"ROLLBACK"ROLLBACK TO SAVEPOINT M SAVEPOINT od# #fcj6VN IT9C“#fcj6”VN4zY\ ROLLBACK TO SAVEPOINT od0lDod# U(D DML od(g SELECT"INSERT H)+sF10#fcj6#+G,TZ ROLLBACK TO SAVEPOINT od,+D*sF+Xv=D#fcj6#rK,#f cj6sZrHZCj6D?vod<+Xv,gTB>}y>#mPT>KodD KP3r;#fcj6sZrHZ 2 DyPB~<+Xv#;P5 3(4TZ;v INSERT od)+ek=m T1 P# m 6. 5w ROLLBACK TO SAVEPOINT odD'{Dod3r od #fcj6 INSERT INTO T1 VALUES (3) 1 SAVEPOINT A 2 INSERT INTO T1 VALUES (5) 2 SAVEPOINT B 3 INSERT INTO T1 VALUES (6) 3 ROLLBACK TO SAVEPOINT A 2 COMMIT 96 }]b2+T8O WITH DATA !n 8( WITH DATA !ns,";asFyPdk5#LOB"LONG"XML Ma9/` MN}+T>* NULL# UZ"1dM1dAGVNG<* ISO q=# g{Z;v_TP8(K WITH DATA,+Zm;v_TP8(K WITHOUT DATA "RC_Tk4PD SQL odPyf0DTsX*,G4 WITH DATA +EH," R+sFCX(odD}]#}g,g{kC'X*DsF_T8( WITHOUT DATA,+kmX*D_T8( WITH DATA,G4ZCC'CJCm1,+sFCZ odDdk}]# z^(7(Z(;|Br(;>}odP^DKD)P#vG<4PDWc SELECT o d,x;G<%@D FETCH#Z"vod1,y] EXECUTE G<;\7(NjyZ DP#TsXEod1,;\"v SELECT od4KbI\\0lDPD6'# XE}%Dn/D>} ZK>}P,kDj{2+_TD;?V,C+>*s{G#tn`X K 7 jTVvT3)}]bm"vDNNX(ksD'{D&\#*K,{GF)K; n_T,*s?\D~,Tc{GITXBiI!qDNN 1LD}]b#{G*s}]bsF6qc;`XZT}]b"vD?vksDE ",TcJmXEMVvTQ4-D`X}]b"vDNNks#K*s,1f02 ,M/, SQL od# K>}T>Z"v SQL od1XkQfZDsF_T,T0CZi5sFU>"ZT si!MVvb)U>D=h# 1. 4(CZsF EXECUTE `pDsF_T"+K_T&CZ}]b: CREATE AUDIT POLICY STATEMENTS CATEGORIES EXECUTE WITH DATA STATUS BOTH ERROR TYPE AUDIT COMMIT AUDIT DATABASE USING POLICY STATEMENTS COMMIT 2. (Zi5sFU>T4(i51># 2+T\m1r;ZhT SYSPROC.AUDIT_ARCHIVE f"}LD EXECUTE X (DC'&y]G&ZyPI1OKPi5: CALL SYSPROC.AUDIT_ARCHIVE( ’/auditarchive’, -2 ) 3. 2+T\m1r;ZhT SYSPROC.AUDIT_LIST_LOGS m/}D EXECUTE X( DC'9C AUDIT_LIST_LOGS 4liT 2006 j 4 BT4DyPICsFU>, T7(D)U>I\|,XhD}]: SELECT FILE FROM TABLE(SYSPROC.AUDIT_LIST_LOGS(’/auditarchive’)) AS T WHERE FILE LIKE ’db2audit.dbname.log.0.200604%’ FILE-------------------------------------- ... db2audit.dbname.log.0.20060418235612 db2audit.dbname.log.0.20060419234937 db2audit.dbname.log.0.20060420235128 Z 1 B DB2 2+T#M 97 4. ( } K d v , 2 + T \ m 1 " V X h D U > & C Z ; v D ~ db2audit.dbname.log.20060419234937 P#1dAGT>KD~GZsF1k*i 4DGllax1i5D# 2+T\m1r;ZhT SYSPROC.AUDIT_DELIM_EXTRACT f"}LD EXECUTE X(DC'+KD~{Cw AUDIT_DELIM_EXTRACT Ddk,T+s F}]i!=(gD~P#IT+b)D~PDsF}]0k= DB2 }]bmP, ;sZb)mPVv}]TiRsF1PK$DX(od#49sF1;T%v SQL odPK$,2I\h*li$w%*PD`vod,T@b)odTPK$Do dPNN0l# 5. *KXEod,2+T\m1Xk4PBPYw: v y]sFG<7(*"vD<7od# v y]sFG<7("vodDC'# v XB4(C'Z"vCod15PD<7mI(,|(NN LBAC #$# v (}9CsFGPR=Dod# tC}%Dn/DXE: w*j{2+_TD;?V,+>IT*sX]tIj"VvT3)}]bm"vD NNX(ksD0lD&\# *<.0 +>XkF);n_T,*s?\D~,Tc{GIT01 XBiINNy!1LD}]b# XZKNq *JmZ+4NN1dT4(i51># *i5sFU>,k(ZKPBP|n,8( i5?&ZyPI1OKPi5: CALL SYSPROC.AUDIT_ARCHIVE( ’/auditarchive’, -2 ) 3. liQ4(DsFU>D~# ;s,b)i5D~+#f;(j}(Cj}I+> D5q_T8()# *lisFU>D~,kKPBP|n: SELECT FILE FROM SESSION.AUDIT_ARCHIVE_RESULTS a{ VZ,QhCKzD73,byai5}]ME"TJm+4XEyGME"}T>K SECADM agNXE}%D}]bn/# hv Z3v1L,+>sF1I\k*VvX(C'"zZ}%Dn/#SECADM IT9C 8]}]b3q(dO8]U>9C)MsFU>4XBiIPJbD}]b,"X EsF1k*VvDn/#Y(X(C'"zZ 2006 j 4 B 19 UDn/PJb, TB>}T>K SECADM ITgNozsF14PdVvDwL# >} 1. SECADM +"v AUDIT_LIST_LOGS TiRT 2006 j 4 BpyPICDsF U># SELECT FILE FROM TABLE(SYSPROC.AUDIT_LIST_LOGS(’/auditarchive’)) AS T WHERE FILE LIKE ’db2audit.db.sample.log.0.200604%’ FILENAME --------------------------------------- ... db2audit.db.sample.log.0.20060418235612 db2audit.db.sample.log.0.20060419234937 db2audit.db.sample.log.0.20060420235128 2. (}Kdv,SECADM "VX*DU>&;Z db2audit.db.sample.log.20060419234937 D~P#CU>GD76, v CZ7(*SPa!D)D~DD~{}Kw, v *a!D?v`pD4,,ZK>}P,;P;v`p EXECUTE# Z 1 B DB2 2+T#M 99 CALL SYSPROC.AUDIT_DELIM_EXTRACT( ’’, ’’, ’/auditarchive’, ’db2audit.db.sample.log.0.20060419234937’, ’category execute’ ) 4. VZ,sF}]Q-;Z(gD~P#SECADM +QsF}]S EXECUTE `p 0k AUDITDATA.EXECUTE m#CmI(}4PBP|nxP4(: db2 CONNECT TO sample db2 SET CURRENT SCHEMA AUDITDATA db2 -tvf sqllib/misc/db2audit.ddl 5. B;=,+}]S execute.del 0k AUDITDATA.EXECUTE m#*4PKYw, kKPBP|n: db2 LOAD FROM FILE execute.del OF DEL MODIFIED BY LOBSINFILE INSERT INTO AUDITDATA.EXECUTE 6. VZ,SECADM Q+yPsF}]X*<1d (local_start_time) G EXECUTE sFG}: timestamp=2006-04-10-13.20.51.029203; category=EXECUTE; audit event=STATEMENT; event correlator=1; event status=0; database=SAMPLE; userid=smith; authid=SMITH; session authid=SMITH; application id=*LOCAL.prodrig.060410172044; application name=myapp; package schema=NULLID; package name=SQLC2F0A; package section=201; uow id=2; activity id=3; statement invocation id=0; statement nesting level=0; statement text=SELECT * FROM DEPARTMENT WHERE DEPTNO = ? AND DEPTNAME = ?; statement isolation level=CS; compilation environment= isolation level=CS query optimization=5 min_dec_div_3=NO 100 }]b2+T8O degree=1 sqlrules=DB2 refresh age=+00000000000000.000000 schema=SMITH maintained table type=SYSTEM resolution timestamp=2006-04-10-13.20.51.000000 federated asynchrony=0; value index=0; value type=CHAR; value data=C01; value index=1; value type=VARCHAR; value index=INFORMATION CENTER; local_start_time=2006-04-10-13.20.51.021507; 0vod+kBPZ]`F: ROLLFORWARD DATABASE sample TO 2006-04-10-13.20.51.021507 USING LOCAL TIME AND COMPLETE 9. 9h*hC`k73#`k73d?I(} SET COMPILATION ENVIRON- MENT odxPhC#w*"vodDC'KPD SECADM VZIT9Cod5 }]*XPa)DNNdkd?XEZodD>PR=Dod#TBG9C C 6k = SQL oT`4D;vy>Lr,CLr+hC COMPILATION ENVIRON- MENT "XEsF1k*VvD SELECT od: EXEC SQL INCLUDE SQLCA; EXEC SQL BEGIN DECLARE SECTION; SQL TYPE IS BLOB(1M) hv_blob; EXEC SQL END DECLARE SECTION; EXEC SQL DECLARE c1 CURSOR FOR SELECT COMPENVDESC FROM AUDITDATA.EXECUTE TIMESAMP= ’2006-04-10-13.20.51.029203’; EXEC SQL DECLARE c2 CURSOR FOR SELECT * FROM DEPARTMENT WHERE DEPTNO = ’C01’ AND DEPTNAME = ’INFORMATION CENTER’; EXEC SQL OPEN c1; EXEC SQL FETCH c1 INTO :hv_blob; EXEC SQL SET COMPILATION ENVIRONMENT :hv_blob; EXEC SQL OPEN c2; .... EXEC SQL CLOSE c1; EXEC SQL CLOSE c2; sFh)\m sFh)P* >wba)K;)s(E",|GPzZzKb+sFG<4kU>D1dgN0l }]bT\;gN\msFh)P"zDms;T0sFGD1d + s FG< 4 k n / U > I k < B z I G ) G < D B ~ , = r l = " z # audit_buf_sz }]b\mwdCN}D57(N14ksFG<# Z 1 B DB2 2+T#M 101 g{ audit_buf_sz D5*c (0),G4l=4kG<#zIsFG,14(sF_T19Cms`M AUDIT T0BfyvDd{i5 &(Z+sFU>i5#+sFU>i51a+10sFU>FA;vi5?<,x ~qw*<4kBDn/sFU>#Qi5D?vU>D~D{FP<|,;v1d AG,Iozzj6PK$DU>D~TcZ+4xPVv# *K$Zf",I\*TtIiQi5D~xP9u# TZz;YPK$DQi5sFU>,5}yP_;hSYw53P>}b)D~4 I# ms&m 4(sF_T1,&C9Cms`M AUDIT,}Gz4(D;G;vbTsF_T#} g,g{ms`MhC* AUDIT "R"zKms(}g,ELUdD!),G4+5 Xms#Xk|}msiv.sE\Lx4PNNd{IsFDYw#+G,g{m s`MhC* NORMAL,G4G<+'\,+;aTC'5Xms#+q4"zms ;yLx4PYw# g{i5ZdvVJb(}g,Cji576PDELUd,r_i576;f Z),G4i5xL+'\"RZsFU>}]76PzID~)9{* .bk DY1U >D~,}g,db2audit.instance.log.0.20070508172043640941.bk#ZbvJbs ((}Zi576PVdc;`DELUd,r_(}4(i576),Xk+KY 1U>FAi576#;s,ITqT}I&i5DU>;yT}CU># DDL od^F ZxkB;v$w%*.0,3)}](eoT (DDL) od(F* AUDIT @<= SQL od);az'#rK,(iZ4Pb)od1PD?vod.sM"44P COM- MIT od# AUDIT @<= SQL od|(: v AUDIT v CREATE AUDIT POLICY"ALTER AUDIT POLICY M DROP AUDIT POLICY v DROP ROLE M DROP TRUSTED CONTEXT(g{*>}DG+rIEOBDk sF_TX*) CZfEQi5}]Dmq=I\aDd 2+T\m1IT9C SYSPROC.AUDIT_DEL_EXTRACT f"}L(53\m1IT 9C db2audit extract |n)+Qi5sFU>D~PDsFG db2audit.ddl 4(}7q=Dm4|,sFG<#z+Z{T?v"Pf "TDCJG “ALTER”,R*liDTs`MG“TABLE”(;GP,r*liDGmX()# +G,1Cli*i$GqfZ}]b(^4JmC'j64("s(r>}Ts 1,d;akT}]bxPli,+Ts`MVNT+8(*4("s(r>}DT s(x;G}]b>m)# ZmO4(;vw}1,h*4(w}DX(,rK,CHECKING B~sFG<+_P CJ"T`M“w}”x;G“4(”# 4(CZs(Lr|DsFG< 1s(;vQfZDLr|1,a*CLr|D DROP 4( OBJMAINT B~sFG <,;s*CLr|B1>D CREATE 4(m;v OBJMAINT B~sFG<# Xvs9C CONTEXT B~E" “}](eoT”(DDL) IzIG<*I&D OBJMAINT r SECMAINT B~#+G, ZG"TDYwDjIT J# 0k(g{ i!JO0k DB2 }]bmPD(gq=DsFG<1,&e~CodD>VNZ9 CD(g{DPXiv#bIZi!(gD~19CBPod4jI: db2audit extract delasc delimiter load_delimiter load_delimiter ITG%vV{(}g,″)r_Gm>.yxF5DDVZV{.(} g,:0x3b;)#P'|nD>}G: db2audit extract delasc db2audit extract delasc delimiter ! db2audit extract delasc delimiter 0x3b g{i!19CD(g{;G1!0k(g{,G4&Z LOAD |nP9C MODIFIED BY !n#BfG+ :0x3b; Cw(g{D LOAD |nD>};?V: db2 load from context.del of del modified by chardel0x3b replace into ... b+2G1!0kV{.(g{ ″(+}E)# 104 }]b2+T8O db2cluster |nD2+T#M db2cluster |nGxk DB2 /:~qDwSZ,"TKm]d1* IBM DB2 pureScale Feature a)D/:\mwM2mD~53/:#C'ICD db2cluster | n!n!vZC'D(^# M db2cluster |nD2+T#MxT,;2P 3 vC'i(4?vC'iI\4PD Nq`M.V): v Z53O_PC'j6DNNK KiPDC'\;9C db2cluster |n4(fPX DB2 pureScale5}DE",+ ;\xPNN|D# v SYSADM"SYSCTL r SYSMAINT i KiPDC'\;9C db2cluster |n495}#Vt/"KP"Z/:\mwO 4P;)\mNq#y](e,KiPDC'G5}DC'j6"5}yP_Dw iDI1r5}yP_DGwiDI1#DB2 (i9C_P5}yP_DGwiI1 JqDC'j644PU(U#n/ v DB2 /:~q\m1 KiPDC';h*CJ}]bPD}];bGCZTBYwD\mG+: – 20MdC DB2 D DB2 /:~q?V – ,$/:rPD/:5}0,$2mD~53/: DB2 /:~q\m1G+GICJYw53DI root C'yPDC'j6DnUC ';}g,KG+GYw53\m1#DB2 /:~qa0lyP/:73,zG9C DB2 pureScale Feature 9G_P/I HA DVx}]b73#rK,}]bOd1 DBADM"SECADM"SQLADM"WLMADM"EXPLAIN"ACCESSCTRL M DATAACCESS .`DG+4a)/:\mDJ1(^6p#DB2 /:~q\m1k _P SYSADM"SYSCTL r SYSMAINT iPDC'j6D3KI\G,;K# ":;\vvr*C'_P SYSADM X(Mb6EKC';(_PYw53\mX (# db2cluster D/:\mwNq v Z53O_PC'j6DNNK}/:J4"^4/:\mwJ4# M;?R(i;PZ DB2 ~qK1D(iBE4Pb)Nq# v DB2 /:~q\m1IZ/:rZDyPwzO4P0lyP/:5}PD{e DB2 /:~qD\mNq#KC'I9C -set !n44PdCNq(}g,hCYCh 8MwzJOlb1d)#xR,DB2 /:~q\m1I4Pk,$`XDNq,} g,9C -enter !n+wzCZ,$==,r_9C -commit !n+|Dr|Bd 5A/:\mw#KC'9IZ/:\mwTHrO4P_6,$Yw,}g,4 (">}"t/r#9rT0mSr}%wz;+G,?R(i;PZ DB2 ~qK 1(i1E4Pb)Nq# Z 1 B DB2 2+T#M 105 db2cluster D2mD~53Nq v Z53O_PC'j6DNNK}rXB=bD~53#4(|D C'j6r DB2 /:~q\m1I4(d{C'ICJD?<(kU(D~53\ q)# v DB2 /:~q\m1IZ/:rZDyPwzO4P0lyP/:5}PD{e DB2 /:~qD\mNq#KC'I9C -set !n4TYCh84P|D!n#xR, DB2 /:~q\m1I4Pk,$`XDNq,}g,9C -enter !n+wzCZ ,$==,r_9C -commit !n+|Dr|Bd5A2mD~53#KC'9IZ 2mD~53/:O4P_6,$Yw,}g,4(">}"t/r#9rT0m Sr}%wz;+G,?R(i;PZ DB2 ~qK1(i1E4Pb)Nq# 106 }]b2+T8O Z 2 B G+ G+(}a)kiH[D&\+;P`,D^F,r/KX(D\m# G+G+;nr`nX(/PZ;pD}]bTs,IT9C GRANT od+G+8( xC'"i"PUBLIC rd{G+,2IT9C CREATE TRUSTED CONTEXT r ALTER TRUSTED CONTEXT od+|8(xIEOBD#ITT$w:X(ePD SESSION_USER ROLE ,StT8(G+# G+a)K;)Ec,9C\m}]b53PDX(dC|]W: v 2+T\m1ITIC43{GDi/a9D==4XFT}]bDCJ({GI TZ}]bP4(1S3dAi/PD$w0\DG+)# v ZhC'Z43{GD$w0pDG+PDI1Jq#1{GD$w0pd/1, IT\=cXZhM7z{GZG+PDI1Jq# v r/KX(DVd#\m1IT+;iX(Zhm>X($w0\D;vG+,; s+CG+ZhC$w0\PD?vC',x;C+`,D;iX(ZhC$w0 \PD?v%@C'# v IT|BG+DX(,"RZhKCG+DyPC'<+SU|B;\m1;h* pv|B?vC'DX(# v Z4(S<"%"w"_e/i/m (MQT)"2, SQL M SQL }L1}"Z("7zM"MG+#2+T\m19C GRANT (Role) od+G+PDI1JqZh;vZ(j6"9C REVOKE (Role) od7zZ (j6ZG+PDI1Jq# (}9C WITH ADMIN OPTION ZhZ(j6ZG+PDI1Jq,2+T\m1 IT+G+PI1JqD\m(/PxCZ(j6#GRANT (Role) odD WITH ADMIN OPTION Sd9d{C'IT: v +G+Zhd{K# v 7zd{KDG+# v "MG+# WITH ADMIN OPTION Sd;a9d{C'_PBP&\: v >}G+# v 7zZ(j6TG+D WITH ADMIN OPTION# v + WITH ADMIN OPTION Zhd{K(g{z;P SECADM (^)# Z2+T\m14(KG+s,}]b\m1IT9C GRANT od+(^MX(8( xG+#ITTG+Zh\;Z}]bZZhDyP DB2 X(M(^#;\+5}6 p(^(}g,SYSADM (^)8(xG+# 2+T\m1r2+T\m19C WITH ADMIN OPTION *dZhKG+PDI1 JqDNNC'} g{3vG+_P;iX(,G4ZhKKG+PDI1JqDC'+LPb)X (#LPX(9CZ+;vC'DX(XB8(xm;vC'1;X\mwvX(# 9CG+1(;h*DYwG7z;vC'ZG+PDI1Jq"+G+PDI1J qZhd{C'# }g,01 BOB M ALICE Z?E DEV P$w,{G_PTm SERVER"CLIENT M TOOLS D SELECT X(#;l,\mK1v(+{G*=;vB?E QA,rK }]b\m1Xk7z{GTm SERVER"CLIENT M TOOLS D SELECT X(#s 4,?E DEV M6K;;B01 TOM,}]b\m1Xk+Tm SERVER"CLIENT M TOOLS D SELECT X(Zh TOM# 9CG+1,+4PBP=h: 1. 2+T\m14(G+ DEVELOPER: CREATE ROLE DEVELOPER 2. 5P DBADM (^D}]b\m1+Tm SERVER"CLIENT M TOOLS D SELECT X(ZhG+ DEVELOPER: GRANT SELECT ON TABLE SERVER TO ROLE DEVELOPER GRANT SELECT ON TABLE CLIENT TO ROLE DEVELOPER GRANT SELECT ON TABLE TOOLS TO ROLE DEVELOPER 3. 2+T\m1+G+ DEVELOPER Zh?E DEV PDC' BOB M ALICE: GRANT ROLE DEVELOPER TO USER BOB, USER ALICE 4. 1 BOB M ALICE k*?E DEV s,2+T\m17zC' BOB M ALICE D G+ DEVELOPER: REVOKE ROLE DEVELOPER FROM USER BOB, USER ALICE 5. 1?E DEV PM6 TOM 1,2+T\m1+G+ DEVELOPER ZhC' TOM: GRANT ROLE DEVELOPER TO USER TOM G+cNa9 T;vG+Zhm;vG+PDI1Jq1,MNIKG+cNa9# +;vG+Zhm;vG+s,s;vG++|,0;vG+#s;vG++LP0 ;vG+DyPX(#}g,g{+G+ DOCTOR ZhG+ SURGEON,G4O* SURGEON |, DOCTOR#G+ SURGEON +LPG+ DOCTOR DyPX(# ;JmG+cNa9PvV-7#g{T-7==ZhG+,Tc+;vG+Zhm ;vG+,xV+s_Zh-} TB>}T>gN9(G+cNa94m>=:PD=F6p# k}5wZ7zZ(j6D3)X(T0(}G+rd{=(5PX(1T}] bTszzD0l# 7zG+DX(D>} 1. 2+T\m14(G+ DEVELOPER "TC' BOB ZhKG+PDI1Jq: CREATE ROLE DEVELOPER GRANT ROLE DEVELOPER TO USER BOB 2. C' ALICE 4(m WORKITEM: CREATE TABLE WORKITEM (x int) 3. }]b\m1+Tm WORKITEM D SELECT M INSERT X(Zh PUBLIC " ,1ZhG+ DEVELOPER: GRANT SELECT ON TABLE ALICE.WORKITEM TO PUBLIC GRANT INSERT ON TABLE ALICE.WORKITEM TO PUBLIC GRANT SELECT ON TABLE ALICE.WORKITEM TO ROLE DEVELOPER GRANT INSERT ON TABLE ALICE.WORKITEM TO ROLE DEVELOPER 4. C' BOB 4(;v9Cm WORKITEM DS< PROJECT MyZm WORKITEM DLr| PKG1: CREATE VIEW PROJECT AS SELECT * FROM ALICE.WORKITEM PREP emb001.sqc BINDFILE PACKAGE USING PKG1 VERSION 1 5. g{}]b\m17z PUBLIC Tm ALICE.WORKITEM D SELECT X(,IZ S<(e_ BOB (}dZG+ DEVELOPER PDI1JqT5PXhDX(,y TS< BOB.PROJECT #VIC"RLr| PKG1 TP': REVOKE SELECT ON TABLE ALICE.WORKITEM FROM PUBLIC 6. g{}]b\m17zG+ DEVELOPER Tm ALICE.WORKITEM D SELECT X (,IZS} Z>>}P,G+ DEVELOPER 5P DBADM (^"RQ+CG+ZhC' BOB# 1. 2+T\m14(G+ DEVELOPER: CREATE ROLE DEVELOPER 2. 53\m1+ DBADM (^ZhG+ DEVELOPER: GRANT DBADM ON DATABASE TO ROLE DEVELOPER 3. 2+T\m1TC' BOB ZhKG+PDI1Jq: GRANT ROLE DEVELOPER TO USER BOB 4. C' ALICE 4(m WORKITEM: CREATE TABLE WORKITEM (x int) 5. C' BOB 4(;v9Cm WORKITEM DS< PROJECT"yZm WORKITEM DLr| PKG1 T0,yyZm WORKITEM D%"w TRG1: CREATE VIEW PROJECT AS SELECT * FROM ALICE.WORKITEM PREP emb001.sqc BINDFILE PACKAGE USING PKG1 VERSION 1 CREATE TRIGGER TRG1 AFTER DELETE ON ALICE.WORKITEM FOR EACH STATEMENT MODE DB2SQL INSERT INTO ALICE.WORKITEM VALUES (1) 6. 2+T\m17zC' BOB DG+ DEVELOPER: REVOKE ROLE DEVELOPER FROM USER BOB 7zG+ DEVELOPER a: v S< BOB#PROJECT TP'# v Lr| PKG1 dC^'# v %"w BOB.TRG1 TP'# S< BOB.PROJECT M%"w BOB.TRG1 IC,xLr| PKG1 ;IC#'% DBADM (^1,I5P DBADM (^DZ(j64(DS}CG+# WITH ADMIN OPTION Sd;a9m;vC'P(+TG+D WITH ADMIN OPTION Zhd{C'#|2;a9m;vC'P(7zd{Z(j6TG+D WITH ADMIN OPTION# 5w WITH ADMIN OPTION SdDC(D>} 1. 2+T\m14(G+ DEVELOPER "9C WITH ADMIN OPTION Sd+KB G+ZhC' BOB: CREATE ROLE DEVELOPER GRANT ROLE DEVELOPER TO USER BOB WITH ADMIN OPTION Z 2 B G+ 111 2. C' BOB IT+CG+PDI1JqZhd{C'(}g,ALICE)"7zd{C 'ZCG+PDI1Jq: GRANT ROLE DEVELOPER TO USER ALICE REVOKE ROLE DEVELOPER FROM USER ALICE 3. C' BOB ;\>}CG+r+ WITH ADMIN OPTION Zhm;vC'(;P2 +T\m1IT4Pb=vYw)#BOB "vDb)|n+'\: DROP ROLE DEVELOPER - FAILURE! - only a security administrator is allowed to drop the role GRANT ROLE DEVELOPER TO USER ALICE WITH ADMIN OPTION - FAILURE! - only a security administrator can grant WITH ADMIN OPTION 4. IZC' BOB ;P2+T\m1 (SECADM) (^,yT{/};\7zG+ DEVELOPER DC'DG+\mX((I WITH ADMIN OPTION Zh)#1 BOB "vTB|n1,C|n+'\: REVOKE ADMIN OPTION FOR ROLE DEVELOPER FROM USER SANJAY - FAILURE! 5. 2+T\m1IT7zC' BOB TG+ DEVELOPER DG+\mX((I WITH ADMIN OPTION Zh),"TTC' BOB ZhG+ DEVELOPER: REVOKE ADMIN OPTION FOR ROLE DEVELOPER FROM USER BOB Kb,g{2+T\m1v7zC' BOB DG+ DEVELOPER,G4 BOB +' %w*G+ DEVELOPER DI1y5PDyPX(T0(} WITH ADMIN OPTION Sd5PDTCG+D(^: REVOKE ROLE DEVELOPER FROM USER BOB HOG+ki Z4(S<"_e/i/m (MQT)"SQL }L"%"wM|,2, SQL DLr|1, +;} K>}T>gN9CG+4f;i# Y(P}vi DEVELOPER_G"TESTER_G M SALES_G#C' BOB"ALICE M TOM Gb)iDI1,gBmPy>: m 7. iMC'>} i tZKiDC' DEVELOPER_G BOB TESTER_G ALICE M TOM SALES_G ALICE M BOB 1. 2+T\m14(*C4zfiDG+ DEVELOPER"TESTER M SALES# CREATE ROLE DEVELOPER CREATE ROLE TESTER CREATE ROLE SALES 112 }]b2+T8O 2. 2+T\m1+b)G+PDI1JqZhC'(hCiPDC'I1JqG53 \m1D0p): GRANT ROLE DEVELOPER TO USER BOB GRANT ROLE TESTER TO USER ALICE, USER TOM GRANT ROLE SALES TO USER BOB, USER ALICE 3. }]b\m1IT+iy5PD`FX(r(^Zhb)G+,}g: GRANT privilege ON object TO ROLE DEVELOPER ;s,}]b\m1IT7ziDb)X(,"*s53\m1S53P}%b) i# 9C(}G+q!DX(4(%"wD>} K>}T>1C' BOB (}G+ DEVELOPER 5PXhX(1,CC'ITI&4 (%"w TRG1# 1. WH,C' ALICE 4(m WORKITEM: CREATE TABLE WORKITEM (x int) 2. ;s,I}]b\m1+Dd ALICE DmDX(ZhG+ DEVELOPER: GRANT ALTER ON ALICE.WORKITEM TO ROLE DEVELOPER 3. IZC' BOB GG+ DEVELOPER DI1,yT{/}I&4(%"w TRG1# CREATE TRIGGER TRG1 AFTER DELETE ON ALICE.WORKITEM FOR EACH STATEMENT MODE DB2SQL INSERT INTO ALICE.WORKITEM VALUES (1) ZS IBM Informix Dynamic Server (Fs9CG+ g{QS IBM Informix® Dynamic Server (FA DB2 }]b53"R}Z9CG+, G4zh*Kb;)Bn# Informix Dynamic Server(IDS)SQL od GRANT ROLE a)Sd WITH GRANT OPTION#DB2 }]b53D GRANT ROLE oda)_P`,&\DSd WITH ADMIN OPTION(CSd{O SQL j<)#ZS IDS (FA DB2 }]b53Zd, Z dbschema $_zI CREATE ROLE M GRANT ROLE ods,dbschema $_a +vVDNN WITH GRANT OPTION f;* WITH ADMIN OPTION# Z IDS }]b53P,SET ROLE od$nX(G+#DB2 }]b53'V SET ROLE od,+;G*Kk9CC SQL odDd{z7f]#SET ROLE odlia 0C'GqGG+DI1,g{;G,G4|+5Xms# dbschema dv>} Y( IDS }]b|,G+ DEVELOPER"TESTER M SALES#*C' BOB"ALICE M TOM ZhK;,DG+;+G+ DEVELOPER Zh BOB"+G+ TESTER Zh ALICE,"+G+ TESTER M SALES Zh TOM#*(FA DB2 }]b53,k9 C dbschema $_*}]bzI CREATE ROLE M GRANT ROLE od: CREATE ROLE DEVELOPER CREATE ROLE TESTER CREATE ROLE SALES GRANT DEVELOPER TO BOB GRANT TESTER TO ALICE, TOM GRANT SALES TO TOM Z 2 B G+ 113 XkHZ DB2 }]b53P4(}]b,;sEITZC}]bPKPOvod,T XB4(G+"VdG+# 114 }]b2+T8O Z 3 B 9CIEOBDMIE,S Z("k DB2 }]bD,S1,(}Z&CLrZ"vksIT("T=IE,S# 2+T\m1H0XkQ9C CREATE TRUSTED CONTEXT odT0k*("D, SDtT%dDG)tT4(eIEOBD(kNDsfD=h 1)# *<.0 (",S1C4ksT=IE,SD API !vZ9CD&CLr`M(kND=h 2 P Dm)# ("T=IE,S.s,&CLrIT(}9CJCZC`MD&CLrD API(kN D=h 3 PDm)+,SDC'j6P;Am;vC'j6# }L 1. 2+T\m1(}9C CREATE TRUSTED CONTEXT odZ~qwP(eIEO BD# }g: CREATE TRUSTED CONTEXT MYTCX BASED UPON CONNECTION USING SYSTEM AUTHID NEWTON ATTRIBUTES (ADDRESS ’192.0.2.1’) WITH USE FOR PUBLIC WITHOUT AUTHENTICATION ENABLE 2. *("IE,S,k9C&CLrPDBPdP;v API: !n hv &CLr API CLI/ODBC SQLConnect M SQLSetConnectAttr XA CLI/ODBC Xa_open JAVA getDB2TrustedPooledConnection M getDB2TrustedXAConnection 3. *P;Am;v-}O$r4-}O$DC',k9C&CLrPDBPdP;v API: !n hv &CLr API CLI/ODBC SQLSetConnectAttr XA CLI/ODBC SQLSetConnectAttr JAVA getDB2Connection M reuseDB2Connection .NET DB2Connection.ConnectionString X|V: TrustedContextSystemUserID M TrustedContextSystemPassword xPP;1GqTBC'j6xPO$!vZkCT=IE,S`X*DIEOB DTsD(e#}g,Yh2+T\m14(KTBIEOBDTs: © Copyright IBM Corp. 2013 115 CREATE TRUSTED CONTEXT CTX1 BASED UPON CONNECTION USING SYSTEM AUTHID USER1 ATTRIBUTES (ADDRESS ’192.0.2.1’) WITH USE FOR USER2 WITH AUTHENTICATION, USER3 WITHOUT AUTHENTICATION ENABLE x;=Y(("KT=IE,S#IZ USER3 Q(e*;h*TdxPO$DIE OBD CTX1 DC',yTJmZ;a)O$E"DivB+IE,SODC'j 6P;A USER3 Dks#+G,IZ USER2 Q(e*Xka)dO$E"DI EOBD CTX1 DC',yTZ4a)O$E"DivB+IE,SODC'j6 P;A USER2 Dks+'\# ("T=IE,S"P;C'D>} ZTB>}P,Pdc~qwh*zmnUC'"v;)}]bks,+;XCJn UC'D>$TzmCnUC'("}]b,S# ITZ}]b~qwO4(;vIEOBDTs,CTsJmPdc~qw("k} ]bDT=IE,S#Z("T=IE,Ss,Pdc~qwIT+C,SD10C 'j6P;ABDC'j6,x;h*Z}]b~qwPO$BDC'j6#TB CLI zkN5wKgN9CZ0fD=h 1 P(eDIEOBD MYTCX 4("IE,S, T0gNP;AIE,SO4-}O$DC'# int main(int argc, char *argv[]) { SQLHANDLE henv; /* environment handle */ SQLHANDLE hdbc1; /* connection handle */ char origUserid[10] = "newton"; char password[10] = "test"; char switchUserid[10] = "zurbie"; char dbName[10] = "testdb"; // Allocate the handles SQLAllocHandle( SQL_HANDLE_ENV, &henv ); SQLAllocHandle( SQL_HANDLE_DBC, &hdbc1 ); // Set the trusted connection attribute SQLSetConnectAttr( hdbc1, SQL_ATTR_USE_TRUSTED_CONTEXT, SQL_TRUE, SQL_IS_INTEGER ); // Establish a trusted connection SQLConnect( hdbc1, dbName, SQL_NTS, origUserid, SQL_NTS, password, SQL_NTS ); //Perform some work under user ID "newton" ........... // Commit the work SQLEndTran(SQL_HANDLE_DBC, hdbc1, SQL_COMMIT); // Switch the user ID on the trusted connection SQLSetConnectAttr( hdbc1, SQL_ATTR_TRUSTED_CONTEXT_USERID, switchUserid, SQL_IS_POINTER ); //Perform new work using user ID "zurbie" ......... //Commit the work 116 }]b2+T8O SQLEndTranSQL_HANDLE_DBC, hdbc1, SQL_COMMIT); // Disconnect from database SQLDisconnect( hdbc1 ); return 0; } /* end of main */ B;=v24 N1f}P;C'j6? Z"vCZP;IE,SODC'D|n.s,";a"44PP;C'k s,*H=+B;vod"MA~qw.sEa4PCks#TB>}TbV ivxPK5w#*H="vB;vod.s,list applications |nEaT >nuDC'j6# 1. 9C USERID1 ("T=IE,S# 2. T USERID2 "vP;C'|n,}g getDB2Connection# 3. KP db2 list applications#|T+T>Q,S USERID1# 4. ZIE,SO"v;vod(}g,executeQuery("values current sqlid"))TZ~qwP4PP;C'ks# 5. YNKP db2 list applications#VZ,K|nMaT>Q,S USERID2# IEOBDMIE,S IEOBDG;v}]bTs,|*}]bkb?5e(}g,&CLr~qw). dD,S(eENX5# ENX5yZBP;itT: v 53Z(j6:m>("}]b,SDC' v IP X7(rr{):m>ZdP("}]b,SDwz v }]wS\:m>CZ}]b~qwk}]bM'z.dD}](EDS\hC (g{KhCfZ) C'("}]b,S1,DB2 }]b53+liC,SGqk}]bPDIEOBDT sD(e%d#g{%d,G4O*C}]b,SGIE,S# IE,SJmKIE,SD"p=q!ZIE,SwCrbI\;ICDd{&\# y]IE,SGT=,S9G~=,S,b)&\aPy;,# T=IE,SD"p=IT: v +,SOD10C'j6P;Am;v-}O$r4-}O$DC'j6 v (}IEOBDDG+LP&\q!d{X( ~=IE,SGGT=ksDIE,S;~=IE,SI}#,Sksx;GT=I E,Skszz#q!~=,S;h*|D&CLrzk#Kb,zGqqC~=I E,S;a0l,S5Xk(ksT=IE,S1,,S5Xk8>ksGqI &)#~=IE,SD"p=;\(}IEOBDDG+LP&\q!d{X(;{ G;\P;C'j6# Z 3 B 9CIEOBDMIE,S 117 9CIEOBDgNv?2+T }c&CLr#M(}ZM'z&CLrk}]b~qw.dSk;vPdc4)9 j<=cM'zM~qw#M#C#MZn|8jG#wP,XpGZyZ Web D< uM Java 2 Enterprise Edition(J2EE)=(vVs#'V}c&CLr#MDm~z7 >}P IBM WebSphere® Application Server(WAS)# Z}c&CLr#MP,Pdc:pO$KPM'z&CLrDC'"\mk}]b ~qwD;%#+3O,yPk}]b~qwD;%$DiOr}]b~qwj6| T:#bb6E,}]b~qw9CkPdcC'j6X*D}]bX(44PZx PNN}]bCJ(|(PdczmC'4PDCJ)1-r#;*@C'j6\Q+Pd c*T:?Dx4PDBqkzmC'4PDBqxV*4# v ZhPdcZ(j6}`X( PdcZ(j6Xk_P4PC'"vDyPksyhDyPX(#bfZ;v2 +TJb,|9;h*CJ3)E"DC'$# v T\*z#Z}]b~qwP4(BDom,S"XBO$C'\T;azzT\ *z# v ,$*z#Z49C/P2+ThCr49C%cG} Y(2+T\m14(KTBIEOBDTs: CREATE TRUSTED CONTEXT CTX1 BASED UPON CONNECTION USING SYSTEM AUTHID USER2 ATTRIBUTES (ADDRESS ’192.0.2.1’) DEFAULT ROLE managerRole ENABLE g{C' user1 S IP X7 192.0.2.1 ksIE,S,G4 DB2 }]b53+5X; v/f(SQLSTATE 01679 M SQLCODE +20360)T8>4\("IE,S,CC' user1 vqC;IE,S#+G,g{C' user2 S IP X7 192.0.2.1 ksIE,S, IZIEOBD CTX1 zc,StT,yT+5VCks#H;C' user2 ("KI E,S,G4{/}VZITq!kIEOBDG+ managerRole X*DyPX(M( ^#b)X(M(^I\TKIE,SwCrbDC' user2 ;IC# (}IEOBDLPG+I1Jq IE,SD10C'IT(}IEOBD4T/LPG+Tq!d{X(,+0aG KG+XkQI2+T\m18(*`XIEOBD(eD;?V# 1!ivB,IE,SDyPC'}Py># 4(8(1!G+MX(ZC'DG+DIEOBD>} Y(2+T\m14(KTBIEOBDTs: CREATE TRUSTED CONTEXT CTX1 BASED UPON CONNECTION USING SYSTEM AUTHID USER1 ATTRIBUTES (ADDRESS ’192.0.2.1’) WITH USE FOR USER2 WITH AUTHENTICATION, USER3 WITHOUT AUTHENTICATION DEFAULT ROLE AUDITOR ENABLE 1 USER1 ("IE,S1,ZhG+ AUDITOR DX(+IKZ(j6LP#,y, 1IE,SOD10Z(j6P;A USER3 DC'j61,b)X(9+I USER3 L P#(g{C,SDC'j6Z3v1dP;A USER2,G4 USER2 2+LPIEO BD1!G+ AUDITOR#)2+T\m1IT!qC USER3 LP}IEOBD1! G+bDm;vG+#{GIT(}+X(G+8(xKC'45VK?D,gBy >: CREATE TRUSTED CONTEXT CTX1 BASED UPON CONNECTION USING SYSTEM AUTHID USER1 ATTRIBUTES (ADDRESS ’192.0.2.1’) WITH USE FOR USER2 WITH AUTHENTICATION, USER3 WITHOUT AUTHENTICATION ROLE OTHER_ROLE DEFAULT ROLE AUDITOR ENABLE 1IE,SOD10C'j6P;A USER3,KC';YLPIEOBD1!G+#` 4,{G+LPI2+T\m18(x{/}DX(G+ OTHER_ROLE# XZZT=IE,SOP;C'j6Dfr ZT=IE,SO,IT+,SDC'j6P;Am;vC'j6#+G&q-3) fr# 1. g{P;ks;GST=IE,S"vD,"RCP;ks+"MA~qwTx P&m,G4,S+XU"5X;ums{"(SQLSTATE 08001 M-rk* 41 D SQLCODE -30082)# 2. g{P;ks;GZBq_g"vD"BqQXv"RCP;ks+"MA~q wTxP&m,G4+9,S&Z4,S4,"5X;ums{"(SQLSTATE 58009 M SQLCODE -30020)# 3. g{P;ksGSf"}L"vD,G4+5X;ums{"(SQLCODE -30090 M-rk 29),|8>K73PDYwG(#+#V,S4,"R;a9,S&Z 4,S4,#IT&msxks# 120 }]b2+T8O 4. g{P;ksZ5},S(x;G}]b,S)P+],G4C,S+XU"5 X;ums{" (SQLCODE -30005)# 5. g{P;ksG9CIE,SO;JmDZ(j6"vD,G4+5Xms (SQLSTATE 42517 M SQLCODE -20361)"9,S&Z4,S4,# 6. g{P;ksG9CIE,SOJmD-}O$DZ(j6"vD,+4a)` &DO$nF,G4+5Xms(SQLSTATE 42517 M SQLCODE -20361)"9 ,S&Z4,S4,# 7. g{kIE,SX*DIEOBDTs;{C,"RTCIE,S"vKP;k s,G4+5Xms(SQLSTATE 42517 M SQLCODE -20361)"9,S&Z4 ,S4,# ZKivB,(;S\DP;C'ksG8(("KIE,SDC'j6rUC 'j6Dks#g{P;A("KIE,SDC'j6,G4KC'j6+;L PNNIEOBDG+(|(IEOBD1!G+MIEOBDX(ZC'DG +)# 8. g{|DKkIE,SX*DIEOBDTsD53Z(j6tT,"RTCI E,S"vKP;ks,G4+5Xms(SQLSTATE 42517 M SQLCODE -20361)"9,S&Z4,S4,# ZKivB,(;S\DP;C'ksG8(("KIE,SDC'j6rUC 'j6Dks#g{P;A("KIE,SDC'j6,G4KC'j6+;L PNNIEOBDG+(|(IEOBD1!G+MIEOBDX(ZC'DG +)# 9. g{>}KkIE,SX*DIEOBDTs,"RTCIE,S"vKP;k s,G4+5Xms(SQLSTATE 42517 M SQLCODE -20361)"9,S&Z4 ,S4,# ZKivB,(;S\DP;C'ksG8(("KIE,SDC'j6rUC 'j6Dks#g{P;A("KIE,SDC'j6,G4KC'j6+;L PNNIEOBDG+(|(IEOBD1!G+MIEOBDX(ZC'DG +)# 10. g{P;ksG9CIE,SOJmDC'j6"vD,+CC'j6;PT}] bD CONNECT X(,G4+9,S&Z4,S4,"5X;ums{" (SQLSTATE 08004 M SQLCODE -1060)# 11. g{IEOBD53Z(j6vVZ WITH USE FOR SdP,G4 DB2 }]b 53+9CP;C'ksPD53Z(j6DO$hC4P;X53Z(j6# g{IEOBD53Z(j64vVZ WITH USE FOR SdP,G4,SGq\EN#,S\EN1,|98vK,SGT=IE ,S9G~=IE,S# v IEOBD{F:kIE,SX*DIEOBDD{F# v LPDG+:(}IE,SLPDG+# TBG4\qCT=IE,SDn#{-r: v M'z&CLr49C TCP/IP 4k DB2 ~qw(E#M'z&CLrkIC4( "T=r~=IE,SD DB2 ~qw(E1,(;\'VD-iG TCP/IP# v }]b~qwO$`MhC* CLIENT# v }]b~qw;PQtCDIEOBDTs#IEOBDTsD(eXkw78v ENABLE,T9CIEOBD;O*kkV,SDtT`%d# v }]b~qwODIEOBDTska)DIEtT;%d#}g,I\fZBP iv.;: – ,SD53Z(j6kNNIEOBDTsD53Z(j6<;%d# – 4(,SD IP X7krcCZ,SDIEOBDTsPDNN IP X7<;%d# – ,Sy9CD}]wS\=(krcCZ,SDIEOBDTsP ENCRYP- TION tTD5;%d# IT9C db2pd $_4Kb(",SD IP X7",Sy9CD}]wrxgDS\ 6pT0(",SD53Z(j6#ITN< SYSCAT.CONTEXTS M SYSCAT.CONTEXTATTRIBUTES ?$r_a)KmsD>$# v ZBq_gO4"vP;C'ks# 122 }]b2+T8O v kIE,S`X*DIEOBDQ-;{C">}rDd#ZKivB,;JmP ;A("KIE,SDC'j6# Z 3 B 9CIEOBDMIE,S 123 124 }]b2+T8O Z 4 B PMPCJXF (RCAC) Ev DB2 V10.1 }kKPMPCJXF (RCAC) w*}]2+TDd{c#PMPCJX F (RCAC) P1F*8E#HCJXFr FGAC#RCAC ZP6pM/rP6pXFT mDCJ#IT9C RCAC 49dmX(#M# *Kq-wV~.(f,zIT5V}LM=(47#E"\=dVD#$#i/P DvK;JmCJ{G4P$wNqyhD}]S/#}g,zDlrD~.(fI \f(,=zP(i4dNFD<_D!z(,+;\i4d{<_D!z(#`, D(f9I\f(,}G<_,b,qr;Jm@z#!a)_CJ<_DvKE" (}g,<_DR%g0Ek)# IT9CPMPCJXF47#C';\CJ{GD$wyhD}]#}g,KP DB2 for Linux, UNIX, and Windows M RCAC D=:53IT}K<_E"M}]Tv| (X(=zyhD}]#Z=zXD.0,d{<_;fZ#,y,1<_~qzm i/,;=:D<_m1,{G\;i4<_U{Mg0EkP,+!zPT{GG ~XD#g{}]G~XD,G4+T> NULL r8C5,x;G5JD!z# PMPCJXFr RCAC _PBPEc: v ;b}NN}]bC'GPMPCJXFfrLPDXT# b)fr;ab}uA_P|_6p(^DC'(}g,_P DATAACCESS (^D C')#v_P2+T\m1 (SECADM) (^DC'E\\m}]bPDPMPC JXF#rK,zIT9C RCAC 4h9_P DATAACCESS (^DC'TICJ }]bPDyP}]# v ;\gN(} SQL 4CJm,m}]<\#$# &CLr"Y1a)Di/$_M(fzI$_mxPCJXF#TPMP4(D SQL f rG5VK&\Dy!# PMPCJXFG2+T\m1CZ\m~=M2+T_TDCJXF#M#RCAC J myPC'CJ,;vm,x;GmD8CS<#;x,RCAC +y]km`X*D_ Ty8(DwvC'mI(rfr4^FTmDCJ#fZ=ifr,;iJCZ P,m;iJCZP# © Copyright IBM Corp. 2013 125 v PmI( – PmI(G}]bTs,|m>X(mDPCJXFfr# – PCJXFfrG SQL Qwu~,|hvC'ITCJDP/# v PZk – PZkG}]bTs,|m>mPX(PDPCJXFfr# – PCJXFfrG SQL CASE mo=,|hvC'P(i4DP5T0*zcD u~# CZ\m RCAC frD SQL od (}9CBP SQL od,IT4("DdM>} RCAC fr# CZ\m RCAC mI(MZkDZC/} 9CBPZCj?/}4m>mI(MZkPDu~#}g,C'XktZ;vr` vG+r_tZ;vr`viE\CJX(P# =8:9CPMPCJXFD ExampleHMO K=8+ ExampleHMO(;v_Ps?}ZNFD<_DzRi/)m>*PMPCJ XFDC'#ExampleHMO 9CPMPCJXF47#d}]b_T43K~.(fT Z~=M2+TD*sT0\m5q?j# &m<_!54,E"0dvKE"Di/(g ExampleHMO)XkqX~.D~=M }]#$(f(}g,!5#UIF2TMpN(8 (HIPAA))#b)~=M}]#$ (f7#2m"i4M^DNNtPD<_=FE"rvKE"DYw;\IPX( 4Pb)YwD(&z94P#TC(8DNN%4+D)7P?1,+ ;Jm}i4tPD<_=FE"rvK}] (g<_D#UE)# IT9CPZk4}KtP}]rT Jane ~X b)}]# +PCJ(^ZvTX(C'a)#vJm Dr. Lee i4{T:D<_D<_E","GJm{ i4 ExampleHMO 53PDyP<_# IT5VPmI(TXFD)C'ITi4N NX(P# 126 }]b2+T8O 2+TQb bv2+TQbDPMPCJXF&\?~ Z“Ph*E\*@”y!O^F}]# PmI(SOZC'6p^Fm6p}]Pz ZbvKQb# ^Fd{}]bTs,gPX RCAC #\}] D UDF"%"wMS<# PMPCJXFZ}]6p#$}]#}GP MPCJXFbv=8DbvT}]*PDD XT,4TuAG UDF"%"wMS<.`D }]bTs?F4P2+_T# =8:9CPMPCJXFD ExampleHMO - }]bC'MG+ ZK=8P,m`;,DK4("#$M9C ExampleHMO }]#b)K_P;,D C'(^M}]b(^# ExampleHMO 5VKd2+_TT+S}]bCJ}]D==xPV`#T}]DZ? Mb?CJ+yZCJ}]DC'D0pVkT0b)C'D}]CJX(# ExampleHMO 4(KBP}]bG+4Vkb)0p: PCP m>wN=z# DRUG_RESEARCH m>P?1# ACCOUNTING m>aF# MEMBERSHIP m>mSv(NSMv(;NSD<_DI1# PATIENT m><_# BPK1+4("#$M9C ExampleHMO }]: Alex ExampleHMO w2+T\m1#{5P SECADM (^# Peter ExampleHMO }]b\m1#{5P DBADM (^# Paul ExampleHMO }]b*"_#{_P4(%"wMC'(eD/}DX(# Dr. Lee ExampleHMO =z#{tZ PCP G+# Jane Innovative Pharmaceutical Company(ExampleHMO DOwoi)D)7P?1#} tZ DRUG_RESEARCH G+# John ExampleHMO aF?#{tZ ACCOUNTING G+# Tom ExampleHMO I1Jq\mK1#{tZ MEMBERSHIP G+# Z 4 B PMPCJXF (RCAC) 127 Bob ExampleHMO <_#{tZ PATIENT G+# g{z*"TK=8Pa)DNN>} SQL odM|n,k4(b)C'j6"T{ GZhyP>D(^# BP>} SQL odY(53PQ4(b)C'#b) SQL od4(?vG+"xb )C'ZhT ExampleHMO }]bPDwVmD SELECT M INSERT mI(: --Creating roles and granting authority CREATE ROLE PCP; CREATE ROLE DRUG_RESEARCH; CREATE ROLE ACCOUNTING; CREATE ROLE MEMBERSHIP; CREATE ROLE PATIENT; GRANT ROLE PCP TO USER LEE; GRANT ROLE DRUG_RESEARCH TO USER JANE; GRANT ROLE ACCOUNTING TO USER JOHN; GRANT ROLE MEMBERSHIP TO USER TOM; GRANT ROLE PATIENT TO USER BOB; =8:9CPMPCJXFD ExampleHMO - }]bm K=8Xci\ ExampleHMO }]bPD=vm:PATIENT mM PATIENTCHOICE m# PATIENT mf"y>D<_E"M!54,E"#K=8+ SSN * 123-45-6789 D<_,b+ *dE"TCZ='P?# BP>} SQL od4( PATIENT"PATIENTCHOICE M ACCT_HISTORY m#+Z hTmD(^"R+ek}]# --Patient table storing information regarding patient CREATE TABLE PATIENT ( SSN CHAR(11), USERID VARCHAR(18), NAME VARCHAR(128), ADDRESS VARCHAR(128), PHARMACY VARCHAR(250), ACCT_BALANCE DECIMAL(12,2) WITH DEFAULT, PCP_ID VARCHAR(18) ); --Patientchoice table which stores what patient opts --to expose regarding his health information CREATE TABLE PATIENTCHOICE ( SSN CHAR(11), CHOICE VARCHAR(128), VALUE VARCHAR(128) ); --Log table to track account balance CREATE TABLE ACCT_HISTORY( SSN CHAR(11), BEFORE_BALANCE DECIMAL(12,2), AFTER_BALANCE DECIMAL(12,2), WHEN DATE, BY_WHO VARCHAR(20) ); --Grant authority GRANT SELECT, UPDATE ON TABLE PATIENT TO ROLE PCP; GRANT SELECT ON TABLE PATIENT TO ROLE DRUG_RESEARCH; GRANT SELECT, UPDATE ON TABLE PATIENT TO ROLE ACCOUNTING; GRANT SELECT ON TABLE ACCT_HISTORY TO ROLE ACCOUNTING; GRANT SELECT, UPDATE, INSERT ON TABLE PATIENT TO ROLE MEMBERSHIP; GRANT INSERT ON TABLE PATIENTCHOICE TO ROLE MEMBERSHIP; GRANT SELECT ON TABLE PATIENT TO ROLE PATIENT; GRANT SELECT, ALTER ON TABLE PATIENT TO USER ALEX; GRANT ALTER, SELECT ON TABLE PATIENT TO USER PAUL; GRANT INSERT ON TABLE ACCT_HISTORY TO USER PAUL; Z 4 B PMPCJXF (RCAC) 129 --Insert patient data INSERT INTO PATIENT VALUES(’123-55-1234’, ’MAX’, ’Max’, ’First Strt’, ’hypertension’, 89.70,’LEE’); INSERT INTO PATIENTCHOICE VALUES(’123-55-1234’, ’drug-research’, ’opt-out’); INSERT INTO PATIENT VALUES(’123-58-9812’, ’MIKE’, ’Mike’, ’Long Strt’, null, 8.30,’JAMES’); INSERT INTO PATIENTCHOICE VALUES(’123-58-9812’, ’drug-research’, ’opt-out’); INSERT INTO PATIENT VALUES(’123-11-9856’, ’SAM’, ’Sam’, ’Big Strt’, null, 0.00,’LEE’); INSERT INTO PATIENTCHOICE VALUES(’123-11-9856’, ’drug-research’, ’opt-in’); INSERT INTO PATIENT VALUES(’123-19-1454’, ’DUG’, ’Dug’, ’Good Strt’, null, 0.00,’JAMES’); INSERT INTO PATIENTCHOICE VALUES(’123-19-1454’, ’drug-research’, ’opt-in’); =8:9CPMPCJXFD ExampleHMO - 2+T\m 2+T\mM2+T\m1 (SECADM) G+Z#$ ExampleHMO PD<_M+>} ]=fP\X*DwC#Z ExampleHMO P,\mv(K;,DK5P}]b\m( ^M2+T\m(^# ExampleHMO D\mESv(4(G+4\mTd}]DCJ#CES9v(,1!i vB,49_P DATAACCESS (^DC'2^(i4\#$D!54,}]MvK} ]# \mES!q Alex w* ExampleHMO D(;2+T\m1#SVZ*<,Alex +X FyP}]CJ(^#hzK(^,Alex (e2+Tfr,}g,PmI("PZkT 0/}M%"wGq2+#b)frXFD)C'ITPXFXCJNNx(}]# Z Peter(}]b\m1)4(XhDm"("XhDG+.s,+Vk0p#+(}9 Alex I*2+T\m14Vk}]b\m0pM2+T\m0p# Peter ,SA}]b"T Alex Zh SECADM (^#r* Peter 105P DBADM"DATAACCESS M SECADM (^,yT{ITZh SECADM (^# -- To seperate duties of security administrator from system administrator, -- the SECADMN Peter grants SECADM authority to user Alex. GRANT SECADM ON DATABASE TO USER ALEX; Alex ZqC SECADM (^.s,SA}]b"7z Peter D2+T\m1X(#V ZQVkb)0p,"R Alex I*(;P(T ExampleHMO Z?Mb?Dd{KZ h}]CJ(DK#TB SQL odT>K Alex gN7z Peter D SECADM (^: --revokes the SECADMIN authority for Peter REVOKE SECADM ON DATABASE FROM USER PETER; =8:9CPMPCJXFD ExampleHMO - PmI( 2+T\m1 Alex (}9CPmI((PMPCJXFD;v?~)4*<^FT ExampleHMO }]bD}]CJ#PmI(4PT5X=C'D}]xP}K# 130 }]b2+T8O Jm<_i4T:D}]#Jm=zi4dyP<_D}],+;Jmi4Id{= zNFD<_D}]#tZ MEMBERSHIP"ACCOUNTING r DRUG_RESEARCH G +DC'ITCJyP<_E"#*s2+T\m1 Alex 5Vb)mI(,TZ“Ph *E\*@”y!O^FD)C'ITi4NNx(P# PmI(+y]QG<}]bDC'4^Fr}KP#Z ExampleHMO P,PmI( +Z{* PATIENT DmO4(;var}]^F# Alex +5VBPPmI(,Tc+_PwTG+DC'^F*;\i4{GPX(i4 Da{/: CREATE PERMISSION ROW_ACCESS ON PATIENT ------------------------------------------------------- -- Accounting information: -- ROLE PATIENT is allowed to access his or her own row -- ROLE PCP is allowed to access his or her patients’ rows -- ROLE MEMBERSHIP, ACCOUNTING, and DRUG_RESEARCH are -- allowed to access all rows ------------------------------------------------------------ FOR ROWS WHERE(VERIFY_ROLE_FOR_USER(SESSION_USER,’PATIENT’) = 1 AND PATIENT.USERID = SESSION_USER) OR (VERIFY_ROLE_FOR_USER(SESSION_USER,’PCP’) = 1 AND PATIENT.PCP_ID = SESSION_USER) OR (VERIFY_ROLE_FOR_USER(SESSION_USER,’MEMBERSHIP’)=1OR VERIFY_ROLE_FOR_USER(SESSION_USER,’ACCOUNTING’)=1OR VERIFY_ROLE_FOR_USER(SESSION_USER, ’DRUG_RESEARCH’) = 1) ENFORCED FOR ALL ACCESS ENABLE; Alex [l=,49Z4(PmI(.s,d{01T;ITi4yP}]#1=T(e KPmI(Dm$nPmI(.s,Ea&CPmI(#Alex Xk"4$nCmI(: --Activate row access control to implement row permissions ALTER TABLE PATIENT ACTIVATE ROW ACCESS CONTROL; =8:9CPMPCJXFD ExampleHMO - PZk 2+T\m1 Alex (}9CPZk(PMPCJXFD;v?~)4x;=^FT ExampleHMO }]bD}]CJ#}GJmC'i45Xx{GD}],qrPZk+ 4P4~Xb)}]# <_6nj8E"Xk;\IaF?EDC'CJ#J'`n;\;NNd{}]b C'4=#*s Alex h9NN;tZ ACCOUNTING G+DC'xPCJ# Alex +5VTBPZk,Tc+_PwTG+DC'^F*;\i4{GPX(i4D a{/: --Create a Column MASK ON ACCT_BALANCE column on the PATIENT table CREATE MASK ACCT_BALANCE_MASK ON PATIENT FOR ------------------------------------------------------------ -- Accounting information: -- Role ACCOUNTING is allowed to access the full information -- on column ACCT_BALANCE. -- Other roles accessing this column will strictly view a -- zero value. ------------------------------------------------------------ COLUMN ACCT_BALANCE RETURN CASE WHEN VERIFY_ROLE_FOR_USER(SESSION_USER,’ACCOUNTING’) = 1 Z 4 B PMPCJXF (RCAC) 131 THEN ACCT_BALANCE ELSE 0.00 END ENABLE; Alex [l=,49Z4(PZk.s,d{01T;ITi4C}]#1=T(eKP ZkDm$nPZk.s,Ea&CPZk#Alex Xk"4$nCZk: --Activate column access control to implement column masks ALTER TABLE PATIENT ACTIVATE COLUMN ACCESS CONTROL; *s Alex (}\m4~X<_D#UE#;P<_"=z"aFr_P MEMBER- SHIP G+DKE\i4 SSN P# Kb,*#$<_D PHARMACY j8E",PHARMACY PPDE"Xk;\I) 7P?1r=zi4#v1<_,b+*CE"1,)7P?1E\i4}]# Alex +5VTBPZk,Tc+_PwTG+DC'^F*;\i4{GPX(i4D a{/: CREATE MASK SSN_MASK ON PATIENT FOR ---------------------------------------------------- -- Personal contact information: -- Roles PATIENT, PCP, MEMBERSHIP, and ACCOUNTING are allowed -- to access the full information on columns SSN, USERID, NAME, -- and ADDRESS. Other roles accessing these columns will -- strictly view a masked value. ----------------------------------------------------- COLUMN SSN RETURN CASE WHEN VERIFY_ROLE_FOR_USER(SESSION_USER,’PATIENT’)=1OR VERIFY_ROLE_FOR_USER(SESSION_USER,’PCP’)=1OR VERIFY_ROLE_FOR_USER(SESSION_USER,’MEMBERSHIP’)=1OR VERIFY_ROLE_FOR_USER(SESSION_USER,’ACCOUNTING’) = 1 THEN SSN ELSE CHAR(’XXX-XX-’ || SUBSTR(SSN,8,4)) END ENABLE; CREATE MASK PHARMACY_MASK ON PATIENT FOR -------------------------------------------------------- -- Medical information: -- Role PCP is allowed to access the full information on -- column PHARMACY. -- For the purposes of drug research, Role DRUG_RESEARCH can -- conditionally see a patient’s medical information -- provided that the patient has opted-in. -- In all other cases, null values are rendered as column -- values. ---------------------------------------------------- COLUMN PHARMACY RETURN CASE WHEN VERIFY_ROLE_FOR_USER(SESSION_USER,’PCP’)=1OR (VERIFY_ROLE_FOR_USER(SESSION_USER,’DRUG_RESEARCH’)=1 AND EXISTS (SELECT 1 FROM PATIENTCHOICE C WHERE PATIENT.SSN = C.SSN AND C.CHOICE = ’drug-research’ AND C.VALUE = ’opt-in’)) THEN PHARMACY ELSE NULL END ENABLE; Alex [l=,Z4(b=vPZk.s,v$ZDC'E\4=C}]#PATIENT m Q$nPCJXF# 132 }]b2+T8O =8:9CPMPCJXFD ExampleHMO - ek}] SIB<_xk=:xPNF1,Xk+B<_DG} SQL od|BCG<: UPDATE PATIENT SET PHARMACY = ’codeine’ WHERE NAME = ’Bob’; Dr. Lee liC|B: Select * FROM PATIENT WHERE NAME = ’Bob’; SSN USERID NAME ADDRESS PHARMACY ACCT_BALANCE PCP_ID ----------- --------- ------- ------------ ----------- -------------- ------ 123-45-6789 BOB Bob 123 Some St. codeine 0.00 LEE Dug G<_,{DwN=zG Dr. Lee D,B Dr. James#Dr. Lee "TT Dug DG 2m{GD}]1,Eaa) PHARMACY }]# TBG John 4=Da{/: SSN USERID NAME ADDRESS PHARMACY ACC_BALANCE PCP_ID ----------- -------- -------- ----------- ----------- ----------- -------- 123-55-1234 MAX Max First Strt XXXXXXXXXXX 89.70 LEE 123-58-9812 MIKE Mike Long Strt XXXXXXXXXXX 8.30 JAMES 123-11-9856 SAM Sam Big Strt XXXXXXXXXXX 0.00 LEE 123-19-1454 DUG Dug Good Strt XXXXXXXXXXX 0.00 JAMES 123-45-6789 BOB Bob 123 Some St.XXXXXXXXXXX 9.00 LEE 5 record(s) selected. John IT4=yPI1#{tZ ACCOUNTING G+#T{~XK PHARMACY P }]# =8:9CPMPCJXFD ExampleHMO - 4(S< ITZ(eKPMPCJXFDmO4(S<#*s2+T\m1 Alex Z PATIENT m O4(='P?1IT9CDS<# k ExampleHMO _POwX5DP?1ITZ<_JmDivBCJP^D<_}]# *s Alex M IT ES4(S<,TvP><_DkP?PXDX(E"#C(fXk |,<_#UE"<_DU{M<_!qD96!n# 4(DS<+Cf<_y>E"M!54,96!n#KS<7#<_E"\#$" vZ<_mIDivB\CfTCZNNd{?D# Alex M IT ES+5VTBS<: CREATE VIEW PATIENT_INFO_VIEW AS SELECT P.SSN, P.NAME FROM PATIENT P, PATIENTCHOICE C WHERE P.SSN = C.SSN AND C.CHOICE = ’drug-research’ AND C.VALUE = ’opt-in’; Z Alex M{DES4(CS<.s,C'ITi/CS<#C'+4U4(CS<1 Zy>mO(eDPMPCJXFfr4i4}]# Alex ZTCS<4PTBi/.sa4=TBa{/: Z 4 B PMPCJXF (RCAC) 135 SELECT SSN, NAME FROM PATIENT_INFO_VIEW; SSN NAME ----------- ---------- 0 record(s) selected. Dr. Lee ZTCS<4PTBi/.sa4=TBa{/: SELECT SSN, NAME FROM PATIENT_INFO_VIEW; SSN NAME ----------- ---------- 123-11-9856 Sam 123-45-6789 Bob 2 record(s) selected. Bob ZTCS<4PTBi/.sa4=TBa{/: SELECT SSN, NAME FROM PATIENT_INFO_VIEW; SSN NAME ----------- ---------- 123-45-6789 Bob 1 record(s) selected. =8:9CPMPCJXFD ExampleHMO - 2+/} XkO*/}G2+D,;sE\ZPMPCJXF(ePwCb)/}#2+T\ m1 Alex k ExampleHMO D}]b*"_ Paul V[gNE\*{DBFq&CL r4(2+/}# Z ExampleHMO PD~=M2+T_Tz'.s,+(* Alex,aF?Q*"K&\ ?sDFq&CLr#ExampleHMOAccountingUDF G SQL j?C'(eD/} (UDF),CZ PATIENT.ACCT_BALANCE mMPDPZk ACCT_BALANCE_MASK P# ZPZkP;\wC2+D UDF#Alex WHk`4 UDF D Paul V[ UDF,T7# UDF PDYwG2+D# 1 Alex O*C/}2+1,{aT Paul Zh53X(,Tc Paul IT+ UDF D d*2+ UDF: GRANT CREATE_SECURE_OBJECT ON DATABASE TO USER PAUL; * 4 ( 2 + UDF r + UDF D d * 2 + UDF, X k T * " _ Z h CREATE_SECURE_OBJECT (^# Paul 4(TB/}: CREATE FUNCTION EXAMPLEHMOACCOUNTINGUDF(X DECIMAL(12,2)) RETURNS DECIMAL(12,2) LANGUAGE SQL CONTAINS SQL DETERMINISTIC NO EXTERNAL ACTION RETURN X*(1.0 + RAND(X)); Paul DdC/}T9|I*2+/}: 136 }]b2+T8O ALTER FUNCTION EXAMPLEHMOACCOUNTINGUDF SECURED; Alex VZ>}"XB4(Zk ACC_BALANCE_MASK,Tc9CB UDF: --Drop the mask to recreate DROP MASK ACCT_BALANCE_MASK; CREATE MASK EXAMPLEHMO.ACCT_BALANCE_MASK ONPATIENT FOR ------------------------------------------------------------ -- Accounting information: -- Role ACCOUNTING is allowed to invoke the secured UDF -- ExampleHMOAccountingUDFL passing column ACCT_BALANCE as -- the input argument -- Other ROLEs accessing this column will strictly view a -- zero value. ------------------------------------------------------------ COLUMN ACCT_BALANCE RETURN CASE WHEN VERIFY_ROLE_FOR_USER(SESSION_USER,’ACCOUNTING’) = 1 THEN EXAMPLEHMOACCOUNTINGUDF(ACCT_BALANCE) ELSE 0.00 ENDENABLE; _P PCP G+D Dr. Lee XkwC)7VvC'(eD/}#DrugUDF 5X<_D )7E"#Z}%,Dr. Lee "vwC DrugUDF D SELECT od.sa\lSU= a{/#Z9CPMPCJXF#$ PATIENT m.s,`,Di/h*|$D1dE \5Xa{/# Dr. Lee r ExampleHMO IT K1M2+T\m1 Alex I/PXKT\B5DJb# Alex f_ Dr. Lee,g{ UDF ;2+,G4^(E/i/,rKi/h*|$D1d E\5Xa{/# Alex k Dr. Lee MyP_ Paul li UDF,T7# UDF PDYwG2+D#1 Paul T;_P Alex ZhD CREATE_SECURE_OBJECT X(1,Alex *s Paul + UDF Dd*2+ UDF: --Function for ExampleHMO Pharmacy department CREATE FUNCTION DRUGUDF(PHARMACY VARCHAR(5000)) RETURNS VARCHAR(5000) NO EXTERNAL ACTION BEGIN ATOMIC IF PHARMACY IS NULL THEN RETURN NULL; ELSE RETURN ’Normal’; END IF; END; --Secure the UDF ALTER FUNCTION DRUGUDF SECURED; --Grant execute permissions to Dr.Lee GRANT EXECUTE ON FUNCTION DRUGUDF TO USER LEE; Dr. Lee IT"vi/"RIT4$ZE/Ci/: --Querying after the function is secured SELECT PHARMACY FROM PATIENT Z 4 B PMPCJXF (RCAC) 137 WHERE DRUGUDF(PHARMACY) = ’Normal’ AND SSN = ’123-45-6789’; PHARMACY -------- codeine 1 record(s) selected. =8:9CPMPCJXFD ExampleHMO - 2+%"w Z$nKPrPCJXFDmO(eD%"wXkG2+D#2+T\m1 Alex k ExampleHMO D}]b*"_ Paul V[gNE\*{DBFq&CLr4(2+%" w# Alex kaF?;8"Kb= PATIENT mh* AFTER UPDATE %"w#K%"w+ `S ACCT_BALANCE PDz7G<# Alex T Paul bM(Paul _P4(K%"wDXhX(),Xk+ZPMPCJ\#$ DmP(eDNN%"wjG*2+#Paul M Alex liB%"wDYw"O*K%" wG2+D# ExampleHMO_ACCT_BALANCE_TRIGGER +`S PATIENT mPD ACCT_BALANCE P # ? 1 | B C P 1 , C % " w a ; % " " + 1 0 J ' ` n j8E " e k ACCT_HISTORY mP# Paul 4(C%"w: CREATE TRIGGER HOSPITAL.NETHMO_ACCT_BALANCE_TRIGGER AFTER UPDATE OF ACCT_BALANCE ON PATIENT REFERENCING OLD AS O NEW AS N FOR EACH ROW MODE DB2SQL SECURED BEGIN ATOMIC INSERT INTO ACCT_HISTORY (SSN, BEFORE_BALANCE, AFTER_BALANCE, WHEN, BY_WHO) VALUES(O.SSN, O.ACCT_BALANCE, N.ACCT_BALANCE, CURRENT TIMESTAMP, SESSION_USER); END; aF?D John Xk|Bd SSN G ’123-45-6789’ D<_ Bob DJ'`n# John Z4P|B.0i4 Bob D}]: SELECT ACCT_BALANCE FROM PATIENT WHERE SSN = ’123-45-6789’; ACCT_BALANCE -------------- 9.00 1 record(s) selected. SELECT * FROM ACCT_HISTORY WHERE SSN = ’123-45-6789’; SSN BEFORE_BALANCE AFTER_BALANCE WHEN BY_WHO ----------- -------------- -------------- ---------- -------------------- 0 record(s) selected. ;s John 4P|B: UPDATE PATIENT SET ACCT_BALANCE = ACCT_BALANCE * 0.9 WHERE SSN = ’123-45-6789’; 138 }]b2+T8O r* PATIENT mP(eK%"w,yT|Ba%"K%"w#r*%"w(eK SECURED,yTI&jIK|B#John Z4P|B.si4 Bob D}]: SELECT ACCT_BALANCE FROM PATIENT WHERE SSN = ’123-45-6789’; ACCT_BALANCE -------------- 8.10 1 record(s) selected. SELECT * FROM ACCT_HISTORY WHERE SSN = ’123-45-6789’; SSN BEFORE_BALANCE AFTER_BALANCE WHEN BY_WHO ----------- -------------- -------------- ---------- -------------------- 123-45-6789 9.00 8.10 2010-10-10 JOHN 1 record(s) selected. =8:9CPMPCJXFD ExampleHMO - 7z(^ w*2+T\m1,Alex :pXFIT4(2+TsDK#1*"_4(K2+Ts. s,Alex +7z{GT}]bD(^# }]b*"_ Paul QjI*"n/#Alex "47z Paul D4((^: REVOKE CREATE_SECURE_OBJECT ON DATABASE FROM USER PAUL; g{ Paul ZTsXk4(2+Ts,G4{XkYNr Alex ksZh4((^# =8:9CPMPCJXFD ExampleBANK K=8+ ExampleBANK(;v_Ps?M'Mm`'PDxPz9)w*PMPCJ XFDC'xPi\#ExampleBANK 9CPMPCJXF47#d}]b_T43K +>TZ~=M2+TD*sT0\m5q?j# &mM'D6J"fn0dvKE"Di/(g ExampleBANK)vZXk*@Dy! O2mdi/PDE"#K}]#$7#2m"i4M^DNNtPDM'pZE" rvKE"DYw;\IPX(4Pb)YwD014P# =8:9CPMPCJXFD ExampleBANK - 2+_T ExampleBANK 4U3)2+_T45VT DB2 }]bxP}]CJ*q-D2+_ T# b)2+_T{O ExampleBANK D~=M}]#$fB#Z;PEvKb)_TM ExampleBANK yfTDQb,Z~PEvKbvQbD DB2 PMPCJXF (RCAC) &\?~# 2+TQb bv2+TQbDPMPCJXF&\?~ +PCJ(^ZvTZ(C'a)#vI1v ;Jmi4tZd'PDM'}],x^(i 4+>6'53P ExampleBANK DyPM '# IT5VPmI(TXFD)C'ITi4N NX(P# Z 4 B PMPCJXF (RCAC) 139 2+TQb bv2+TQbDPMPCJXF&\?~ M'~qzm;PZ9CJ'|B&CLr1 E \ C J J E # ( } f"} L ACCOUNTS.ACCTUPDATE 4j6K&CL r# g { M ' ~ q z m Z ACCOUNTS.ACCTUPDATE &CLrDb?i /}],G4IT9CPZk4}KtP}] rT{G~Xb)}]# =8:9CPMPCJXFD ExampleBANK - }]bC'MG+ ZK=8P,m`;,DK9C ExampleBANK }]#b)K_P;,DC'(^# ExampleBANK 5VKd2+_TT+S}]bCJ}]D==xPV`#T}]DZ ? C J + y Z C J } ] D C ' D 0 p V k T 0 b ) C ' D } ] C J X ( # ExampleBANK 4(KBP}]bG+4Vkb)0p: TELLER m>VP;CDvI1# TELEMARKERTER m>g0*zK1# CSR m>M'~qzm# BPK19C ExampleBANK }]: ZURBIE ExampleBANK DM'~qzm#}tZ CSR G+# NEWTON ExampleBANK 'PDvI1#{tZ TELLER G+# PLATO ExampleBANK Dg0*zK1#{tZ TELEMARKETER G+# g{z*"TK=8Pa)DNN>} SQL odM|n,k4(b)C'j6"T{ GZhyP>D(^# BP>} SQL odY(53PQ4(b)C'#b) SQL od4(?vG+"xb )C'ZhT ExampleBANK }]bPDwVmD SELECT mI(: --Creating roles and granting authority CREATE ROLE TELLER; CREATE ROLE CSR; CREATE ROLE TELEMARKERTER; GRANT ROLE TELLER TO USER NEWTON; GRANT ROLE CSR TO USER ZURBIE; GRANT ROLE TELEMARKERTER TO USER PLATO; =8:9CPMPCJXFD ExampleBANK - }]bm K = 8 X c i \ ExampleBANK } ] b P D = v m : CUSTOMER m M INTERNAL_INFO m# 140 }]b2+T8O INTERNAL_INFO mf"PX* ExampleBANK $wD01DE"#K=8+} SQL od4( CUSTOMER mM INTERNAL_INFO m#+ZhTmD(^ "R+ek}]# --Client table storing information regarding client information CREATE TABLE RCACTSPM.CUSTOMER ( ACCOUNT VARCHAR(19), NAME VARCHAR(20), INCOME INTEGER, BRANCH CHAR(1) ); --Internal_info table which stores employee information CREATE TABLE RCACTSPM.INTERNAL_INFO ( HOME_BRANCH CHAR(1), EMP_ID VARCHAR(10)); --Grant authority GRANT SELECT ON RCACTSPM.CUSTOMER TO USER NEWTON, USER ZURBIE, USER PLATO; --Insert data INSERT INTO RCACTSPM.CUSTOMER VALUES (’1111-2222-3333-4444’, ’Alice’, 22000, ’A’); INSERT INTO RCACTSPM.CUSTOMER VALUES (’2222-3333-4444-5555’, ’Bob’, 71000, ’A’); INSERT INTO RCACTSPM.CUSTOMER VALUES (’3333-4444-5555-6666’, ’Carl’, 123000, ’B’); INSERT INTO RCACTSPM.CUSTOMER VALUES (’4444-5555-6666-7777’, ’David’, 172000, ’C’); INSERT INTO RCACTSPM.INTERNAL_INFO VALUES (’A’, ’NEWTON’); INSERT INTO RCACTSPM.INTERNAL_INFO VALUES (’B’, ’ZURBIE’); INSERT INTO RCACTSPM.INTERNAL_INFO VALUES (’C’, ’PLATO’); =8:9CPMPCJXFD ExampleBANK - PmI( ExampleBANK D2+T\m1(}9CPmI((PMPCJXFD;v?~)4* <^F}]CJ#PmI(4PT5X=C'D}]xP}K# ;JmvI1i4dyZ'PPDM'}]#Jmg0Fz1M CSR(M'~qzm) i453PDyP ExampleBANK M',+g0Fz1^(i4j{JE# Z 4 B PMPCJXF (RCAC) 141 PmI(+y]QG<}]bDC'4^Fr}KP#Z ExampleBANK P,PmI( +Z CUSTOMER mO4(;var}]^F# 2+T\m1+5VBPPmI(,Tc+_PwTG+DC'^F*;\i4{G PX(i4Da{/: CREATE PERMISSION TELLER_ROW_ACCESS ON RCACTSPM.CUSTOMER ------------------------------------------------------- -- Teller information: -- ROLE TELLER is allowed to access client data only -- in their branch. ------------------------------------------------------------ FOR ROWS WHERE VERIFY_ROLE_FOR_USER(USER, ’TELLER’) = 1 AND BRANCH = (SELECT HOME_BRANCH FROM RCACTSPM.INTERNAL_INFO WHERE EMP_ID = USER) ENFORCED FOR ALL ACCESS ENABLE; CREATE PERMISSION CSR_ROW_ACCESS ON RCACTSPM.CUSTOMER ------------------------------------------------------- -- CSR and telemarketer information: -- ROLE TELEMARKETER and CSR are allowed to access all client -- data rows in ExampleBANK. ------------------------------------------------------------ FOR ROWS WHERE VERIFY_ROLE_FOR_USER (USER, ’CSR’) = 1 OR VERIFY_ROLE_FOR_USER (USER, ’TELEMARKETER’) = 1 ENFORCED FOR ALL ACCESS ENABLE; 2+T\m1[l=,49Z4(PmI(.s,01T;ITi4yP}]#1= T(eKPmI(Dm$nPmI(.s,Ea&CPmI(#2+T\m1Xk" 4$nCmI(: --Activate row access control to implement row permissions ALTER TABLE RCACTSPM.CUSTOMER ACTIVATE ROW ACCESS CONTROL; =8:9CPMPCJXFD ExampleBANK - PZk ExampleBANK 2+T\m1(}9CPZk(PMPCJXFD;v?~)4x;= ^F}]CJ#}GJmC'r&CLri45XD}],qrPZk+4P4~X 5X=C'r&CLrD}]# M'~qzmITi4 ExampleBANK 53PDyPM',+G;JmM'~qzmi 4j{DJE,}G{G}Z9CX(D&CLr# 2+T\m1+5VTBPZk,Tc+M'~qzm^F*;\i4{GPX(i 4Da{/: CREATE MASK ACCOUNT_COL_MASK ON RCACTSPM.CUSTOMER FOR ------------------------------------------------------------ -- Account number information: -- Role customer service representative (CSR) is allowed to -- access account number information only when they are using -- the account update application. This application is -- identified through stored procedure ACCOUNTS.ACCTUPDATE. -- If a CSR queries this data outside of this application, the -- account information is masked and the first 12 digits are -- replaced with "x". ------------------------------------------------------------ COLUMN ACCOUNT RETURN CASE WHEN (VERIFY_ROLE_FOR_USER (USER, ’CSR’)=1AND 142 }]b2+T8O ROUTINE_SPECIFIC_NAME = ’ACCTUPDATE’ AND ROUTINE_SCHEMA = ’ACCOUNTS’ AND ROUTINE_TYPE = ’P’) THEN ACCOUNT ELSE ’xxxx-xxxx-xxxx-’ || SUBSTR(ACCOUNT,16,4) END ENABLE; 2+T\m1[l=,49Z4(PZk.s,yP01T;ITi4C}]#1= T(eKPZkDm$nPZk.s,Ea&CPZk#2+T\m1Xk"4$n CZk: --Activate column access control to implement column masks ALTER TABLE RCACTSPM.CUSTOMER ACTIVATE COLUMN ACCESS CONTROL; =8:9CPMPCJXFD ExampleBANK - }]i/ hzPMPCJXF,_P;,G+DKITS`,D}]bi/PqC;,Da{ /#}g,Newton GvI1,{;\4=d'Pb?DM'DNN}]# Newton"Zurbie M Plato wT,SA}]b""T4PTB SQL i/: SELECT * FROM RCACTSPM.CUSTOMER; i/a{+fKPCi/DC'xPy;,#I2+T\m14(DPMPCJXF +&CZb)i/# TBG Newton 4=Da{/: ACCOUNT NAME INCOME BRANCH ------------------- -------------------- ----------- ------ xxxx-xxxx-xxxx-4444 Alice 22000 A xxxx-xxxx-xxxx-5555 Bob 71000 A 2 record(s) selected. Newton w*'P A DvI1;\4=tZC'PD ExampleBANK M'# TBG Zurbie 4=Da{/: ACCOUNT NAME INCOME BRANCH ------------------- -------------------- ----------- ------ xxxx-xxxx-xxxx-4444 Alice 22000 A xxxx-xxxx-xxxx-5555 Bob 71000 A xxxx-xxxx-xxxx-6666 Carl 123000 B xxxx-xxxx-xxxx-7777 David 172000 C 4 record(s) selected. Zurbie w*M'~qzmIT4=53PDyP ExampleBANK M',+4;=b)M 'Dj{JE,}G9C ACCOUNTS.ACCTUPDATE &CLr#r*GZ ACCOUNTS.ACCTUPDATE Db?"vKKi/,yT+~Xj{JE# TBG Plato 4=Da{/: ACCOUNT NAME INCOME BRANCH ------------------- -------------------- ----------- ------ xxxx-xxxx-xxxx-4444 Alice 22000 A xxxx-xxxx-xxxx-5555 Bob 71000 A Z 4 B PMPCJXF (RCAC) 143 xxxx-xxxx-xxxx-6666 Carl 123000 B xxxx-xxxx-xxxx-7777 David 172000 C 4 record(s) selected. Plato w*g0Fz1IT4=53PDyP ExampleBANK M'# 144 }]b2+T8O Z 5 B yZj)DCJXF (LBAC) yZj)DCJXF (LBAC) ssv?KzTD)C'\;CJ}]DXF#LBAC 9 z\;<7X7(TZwPwP_P4CJ(DC'M_PACJ(DC'# LBAC D&\ LBAC &\DdCr%=c,ITkTX(D2+73TdxP(F#yP LBAC d C$wCZ7(C'Gq&CCJ}]iDu~#}g,u~ITGC'GqZX (?EPr{GGqZjIX(n?#2+_ThvDGC47(D)C'\;CJ D)}]Du~#2+_T|,;vr`v2+jEi~#TZNN;vm,;\9 C;v2+_T4#$|,+;,DmITI;,D2+_T#$# 4(2+_T.s,2+T\m1+4(F*2+jEDTs,b)TsG2+_T DiI?V#2+jE|,2+jEi~#2+jED_eZ]I2+_T7(,I T+ddCIm>s%;Z7(D)C'\CJX(}]n1y@]Du~#}g, g{zv(i4+>P3KD0q0d#NDn?,Tc7({G&C4=D}], G4ITdC2+jET9?vjE“_”r“M”EN6 p)# ;)4(2+jE,MIT9dkwvmPMmP`X*T#$fEZG);CPD }]#\2+jE#$D}]F*\#$}]#2+T\m1(}+2+jEZhC '4JmCC'CJ\#$}]#1C'"TCJ\#$}]1,CC'D2+jE +kCZ#$C}]D2+jExPHO#CZxP#$DjE+h{;?V2+j E# Jm;vC'"G+ri,15P`v2+_TD2+jE#+G,TZNNx(D 2+_T,;vC'"G+rin`IT5P;vACJ(jEM;v4CJ(j E# 2+T\m19IT+b}(3hC'#b}(JmC'CJ2+jEI\;JmC JD\#$}]#2+jEMb}(3F* LBAC >$# g{"TCJ LBAC >$;JmCJD\#$P,CJMa'\,"Ra"vms{ "# g{"TA! LBAC >$;JmA!D\#$P,G4 DB2 a+G)PS*;fZ# ZKPDNN SQL od(|( SELECT"UPDATE r DELETE)P<;\!qG) P#49G[//}2avT LBAC >$;JmA!DP#}g,COUNT(*) /}+ ;5XzP(A!DP}# S$MGa0Z(j6DG) LBAC > © Copyright IBM Corp. 2013 145 $#CJ,;S$# }Cj{T }K8m,+IZ%4 LBAC 4frx^(>}NNSm,G4&CaXv>}Y w""vms# 9C LBAC 1Df"w*z 9C LBAC ZP6p4#$;vm1,vSDf"wI>MGP2+jEPyhDI >#KI>!vZy!qD2+jED`M#}g,g{z4(_P=vi~D2+ _T4#$m,G4C2+_T9CD2+jE++*?P* (N*8+4)vVZ,dP N GiICZ#$mD2+_TDi~}# 9C LBAC ZP6p4#$;vm1,P2+jEG*}](4,|kCPD*}]; pf"Z SYSCOLUMNS ?}:g{z^(A!3vm,G4;aJmzA!CmD}] - 49G LBAC J mzCJDPMP`gK# v LBAC >$v^FT\#$}]DCJ#|G;0lT4\#$}]DCJ# v >}mr}]b1,;ali LBAC >$,49Cmr}]b|,\#$}]`g K# v 8]}]1,;ali LBAC >$#g{zITT3vmKP8],G4&CZ} ]D LBAC #$&\;aTNN==^FTwvmPD8]#"R,8]iJOD }]2;\ LBAC #$#;P}]bPD}]E\#$# v ;\9C LBAC 4#$BPNN`MDm: – G(m – G(m@5Dm – `Mm v ;\TGF&C LBAC #$&\# LBAC LL http://www.ibm.com/developerworks/data OZ_a)DLL*z<@K LBAC Dy>C (,CLLF* DB2 Label-Based Access Control, a practical guide# 146 }]b2+T8O LBAC 2+_T 2+T\m19C2+_T4(eTmPDwPwP_P4CJ(DC'M_PAC J(DC'# 2+_T|,TBE": v Z_Ty|,D2+jEP9CD2+jEi~ v ZHOG)2+jEi~19CDfr v ZCJ_Ty#$D}]19CDI!P* v Z?FCJ2+_Ty#$D}]1*D2+jEi~#4(2+_T1P>i~D3r"48>i~.dD NNEH3rrd{X5,+Z4(xPZC/}(}g SECLABEL)D2+jE1, *@i~D3rGG#X*D# (}z4(D2+_T,I4(2+jE4#$}]# Dd2+_T 2+T\m1IT9C ALTER SECURITY POLICY od4^D2+_T# >}2+_T zXkG2+T\m1E\>}2+_T#9C SQL od DROP 4>}2+_T# g{2+_TkNNj`X*,(mSANNm),G4;\>}K2+_T# LBAC 2+jEi~Ev 2+jEi~GiIyZjEDCJXF (LBAC) D}]bTs#2+jEi~C4( "s%;D2+a9#M# 2+jEi~ITm>NNu~,zIT9CCu~47(3vC'GqP(CJx (D}]#K`u~DdM>}|(: v CC'DIELH v CC'yZD?E v CC'GqNkX(Dn? Z 5 B yZj)DCJXF (LBAC) 147 >}:g{*CC'yZD?ETC'ITCJD)}]zz0l,G4IT4({ * dept Di~,;s(eCi~D*X"CG)*X8(+>PDwv?E#;s, +i~ dept |(Z2+_TP# 2+jEi~D*XGCi~yJmD;vX(“hC”# >}:m>EN6pD2+jEi~ITPDv*X:Top Secret"Secret"Classified M Unclassified# 4(2+jEi~ zXkG2+T\m1E\4(2+jEi~#9C SQL od CREATE SECURITY LABEL COMPONENT 44(2+jEi~# 4(2+jEi~1,zXka): v i~D{F v i~D`M(ARRAY"TREE r SET) v yJm*XDj{Pm v TZ`M ARRAY M TREE,Xkhv?v*XZi~a9PD;C 4(2+jEi~s,Iy]b)i~44(2+_T#(}K2+_T,I4(2 +jE4#$}]# i~D`M P}V`MD2+jEi~: v TREE:?v*Xm>wa9PD;vZc v ARRAY:?v*Xm>_TLHOD;vc v SET:?v*Xm>/OPD;vI1 `MC4T*X`%.dD;,`X==xP(##}g,g{z*4(i~Thv +>PD;vr`v?E,G4IT9C TREE `MDi~,bGr*s?Vs5a9 3KDEN6p,G4IT9C ARRAY `MD i~,bGr*,TZNN=vEN6p,\P;v_Zm;v# ?V`MDj8E"(|(*X`%.dDX5Dj8hv)}2+jEi~ zXkG2+T\m1E\>}2+jEi~#9C SQL od DROP 4>}2+jE i~# LBAC 2+jEi~`M:SET SET G;V2+jEi~`M,|ITZyZjEDCJXF (LBAC) 2+_TP9 C# 148 }]b2+T8O SET `MDi~G^rD*XPm#ITTK`i~D*X4PD(;HOYwG“Pm Gq|,x(D*X”# LBAC 2+jEi~`M:ARRAY ARRAY G;V2+jEi~`M# Z ARRAY `MDi~P,4(i~1P>*XD3r(eKLH,Z;vP>D*X *n_5,ns;vP>D*X*nM5# >}:g{i~ mycomp (e*: CREATE SECURITY LABEL COMPONENT mycomp ARRAY [ ’Top Secret’, ’Secret’, ’Employee’, ’Public’ ] rO**XG4TBa9i/D: Z ARRAY `MDi~P,*X`%.dITPBP`MDX5: _Z g{*X A Z ARRAY SdPvVZ*X B .0,G4*X A _Z*X B# MZ g{*X A Z ARRAY SdPvVZ*X B .s,G4*X A MZ*X B# LBAC 2+jEi~`M:TREE TREE G;V2+jEi~`M,|ITZyZjEDCJXF (LBAC) 2+_TP9 C# Z TREE `Mi~P,*X;S*Twa9==EP#Z8( TREE `Mi~y|, D*X1,9Xk8(|ZDv*XBf#(;}bDGZ;v*X,Xk+d8( *wD ROOT#by,M\;Twa9D==4i/*X# >}:g{i~ mycomp (e*: CREATE SECURITY LABEL COMPONENT mycomp TREE ( ’Corporate’ ROOT, ’Publishing’ UNDER ’Corporate’, ’Software’ UNDER ’Corporate’, ’Development’ UNDER ’Software’, ’Sales’ UNDER ’Software’, Secret Employee Top Secret Public ÉÊ ÉË Z 5 B yZj)DCJXF (LBAC) 149 ’Support’ UNDER ’Software’ ’Business Sales’ UNDER ’Sales’ ’Home Sales’ UNDER ’Sales’ ) rO**XG4TBwa9i/D: Z TREE `MDi~P,*X`%.dITPBP`MDX5: 8z g{*X B Z*X A Bf,G4*X A G*X B D8z# >}:K Business Sales *XD8z: Publishing Software Development Support Business Sales Home Sales Sales Corporate 150 }]b2+T8O Sz g{*X A Z*X B Bf,G4*X A G*X B DSz# >}:K Software *XDSz: ,z g{=v*XP,;v8z,G4|G%*,z# >}:K Development *XD,z: Publishing Software Development Support Business Sales Home Sales Sales Corporate Publishing Software Business Sales Home Sales Corporate SalesDevelopment Support Z 5 B yZj)DCJXF (LBAC) 151 fz g{*X A G*X B D8z,r_*X A G B D8zD8z(@K` F),G4*X A G*X B Dfz#y*XGwPyPd{*XDfz# >}:K Home Sales *XDfz: sz g{*X A G B DSz,r_g{*X A G B DSzDSz(@K` F),G4*X A G*X B Dsz# Publishing Software Development Business Sales Home Sales Corporate Sales Support Publishing Development Support Business Sales Home Sales Sales Software Corporate 152 }]b2+T8O >}:K Software *XDsz: LBAC 2+jE ZyZj)DCJXF (LBAC) P,2+jEGCZhv;iX(2+u~D}]bT s#2+jE;&CZ}]T#$C}]#|G;ZhC'TJmC'CJ\#$} ]# 1C'"TCJ\#$}]1,{GD2+jE+kCZ#$C}]D2+jExP HO#CZxP#$D2+jE+h{;?V2+jE#g{C'D2+jE;h {,CC'M^(CJC}]# ?v2+jE}:g{ TREE `Mi~P}v*X Human Resources"Sales M Shipping,G4C i~D;)P'5G: v Human Resources(rNN%v*X) v Human Resources, Shipping(r_G)*XDNNd{iO,u~G;`N|(,; *X) v U5 X(2+jEGqh{m;v2+jE,GIjEP?vi~5T0mD2+_TP 8(D LBAC fr/7(D#ZV[gNHO LBAC 2+jEDwbPa)KPXg NxPHODj8E"# Publishing Software Corporate SalesDevelopment Support Business Sales Home Sales Z 5 B yZj)DCJXF (LBAC) 153 +2+jE*;*D>V{.1,|G+9CZV[2+jE5q=DwbPhvD q=# 4(2+jE zXkG2+T\m1E\4(2+jE#9C SQL od CREATE SECURITY LABEL 44(2+jE#4(2+jE1,h*a): v jED{F v |,CjED2+_T v C2+_TP|,D;vr`vi~D5 TZNN48(5Di~,Y(|G_PU5#2+jEXkAYP;vGU5# Dd2+jE ;\Dd2+jE#|D2+jED(;=(G>}|,;sXB4(#+G,2+ T\m1IT9C ALTER SECURITY LABEL COMPONENT od4^D2+jED i~# >}2+jE zXkG2+T\m1E\>}2+jE#9C SQL od DROP 4>}2+jE#^ (>}};C4#$}]bPNN;CPD}]D2+jEr_10};;vr`v C'5PD2+jE# Zh2+jE zXkG2+T\m1E\+2+jEZhC'"irG+#9C SQL od GRANT SECURITY LABEL 4Zh2+jE#Zh2+jE1,IT+dw*ACJ2+jE" 4CJ2+jEr_A4CJ2+jEZh#TZ,;VCJ`M,C'"irG+ ;\5P,;2+_TPD`v2+jE# 7z2+jE zXkG2+T\m1E\7zC'"irG+D2+jE#*7z2+jE,k9 C SQL od REVOKE SECURITY LABEL# k2+jEf]D}]`M 2 + j E D } ] ` M * SYSPROC.DB2SECURITYLABEL# ' V Z SYSPROC.DB2SECURITYLABEL k VARCHAR(128) FOR BIT DATA .dxP}] *;# 7(C'5PD2+jE IT9CTBi/47(C'5PD2+jE: SELECT A.grantee, B.secpolicyname, c.seclabelname FROM syscat.securitylabelaccess A, syscat.securitypolicies B, syscat.securitylabels C WHERE A.seclabelid = C.seclabelid and B.secpolicyid = C.secpolicyid 154 }]b2+T8O 2+jE5Dq= 2+jEPD5P1GTV{.q=m>D,}g,9CZC/} SECLABEL 1iv MGby# 12+jEPD5m>*V{.1,b)5Dq=gB: v i~5GSs=RP>D,"RP>3rk2+_TD CREATE SECURITY POLICY odPDi~P>3r`, v *XIC*XD{Fm> v ;,i~D*XI0E(:)Vt v g{T,;vi~xvK`v*X,G4+G)*X(Z(E(())P"C:E (,)Vt v U5I;TU(E(())m> >}:2+_T|,;v2+jE,C2+_TITB3rD}vi~iI: Level"Department M Projects#C2+jE|,BP5: m 8. 2+jED>}5 i~ 5 Level Secret Department U5 Projects v Epsilon 37 v Megaphone v Cloverleaf b)2+jE54O%MqTBV{.: ’Secret:():(Epsilon 37,Megaphone,Cloverleaf)’ gNHO LBAC 2+jE 1z"TCJ\yZj)DCJXF (LBAC) #$D}]1,zD LBAC >$+k; vr`v2+jExPHO,T7(Gqh{CCJ#LBAC >$Gz5PDNN2+ jESOz5PDNNb}(# ;\xP=V`MDHO#LBAC >$ITk%vACJ2+jExPHO,LBAC > $2ITk%v4CJ2+jExPHO#|BM>}Yw;O*GHAs4#1Y wh*xP`NHO1,?NHO$Ma;#$2+jEh{# xPHO19CD LBAC fr/GZ2+_TP8(D#*KbfrZ]T0?ufr D9C1d,ki4Cfr/Dhv# b}(THOD0l g{z5PCZHO=v5DfrDb}(,G4;axPCHO,"RY(#$5 ;ah{zD2+jE5# >}:LBAC fr/G DB2LBACRULES,2+_TP=vi~#;vi~D`M* ARRAY,m;vi~D`M* TREE#QZhC'Tfr DB2LBACREADTREE Db }(,CfrGHO TREE `Mi~519CDACJfr#g{C'"TA!\#$ }],G4^[CC'D TREE i~*N5(49*U5),2;ah{CJ,bGr *49CCfr#C'GqITA!}]j+!vZjED ARRAY i~5# LBAC fr/Ev LBAC fr/GHO2+jE1*9CD;i$(efr#ZT=v2+jED5xP HO1,+9Cfr/PD;vr`vfr47(;v5Gqh{m;v5# ?v LBAC fr/Kfr"8>K9C?vfrD 1d,"hvKCfr7(Gqh{CJD>6# 156 }]b2+T8O m 9. DB2LBACRULES fr** fr{ C4TK` MDi~D 5xPHO CZK`M DCJ 1zcKu~1h{CJ DB2LBACREADARRAY ARRAY A C'D5!Z#$5# DB2LBACREADSET SET A fZ;vr`vC'y;PD#$5# DB2LBACREADTREE TREE A C'yPD5} b)>}T"TAr"T4\#$}]DC'P'#b)>}Y(5tZ`M* SET D i~,Ci~|,BP*X:one two three four m 10. DB2LBACREADSET M DB2LBACWRITESET frD&C>} C'D5 #$5 Gqh{CJ? “one” “one” ;h{#5`,# “(one,two,three)” “one” ;h{#C'D5|,*X“one”# “(one,two)” “(one,two,four)” h{#*X“four”|,Z#$5P,+4 |,ZC'D5P# ’()’ “one” h{#U5a;NNGU5h{# “one” ’()’ ;h{#U5;ah{NN5# ’()’ ’()’ ;h{#U5;ah{NN5# DB2LBACREADTREE M DB2LBACWRITETREE b)>}T,1xPA4CJDC'P'#b)>}Y(5tZ`M* TREE Di~, Ci~G4TB==(eD: CREATE SECURITY LABEL COMPONENT mycomp TREE ( ’Corporate’ ROOT, ’Publishing’ UNDER ’Corporate’, ’Software’ UNDER ’Corporate’, Z 5 B yZj)DCJXF (LBAC) 157 ’Development’ UNDER ’Software’, ’Sales’ UNDER ’Software’, ’Support’ UNDER ’Software’ ’Business Sales’ UNDER ’Sales’ ’Home Sales’ UNDER ’Sales’ ) bb6E*XG4K==EPD: m 11. DB2LBACREADTREE M DB2LBACWRITETREE frD&C>} C'D5 #$5 Gqh{CJ? ’(Support,Sales)’ ’Development’ h{#*X“Development”;GC 'D5,“Support”M“Sales”<; G“Development”Dfz# ’(Development,Software)’ ’(Business Sales,Publishing)’ ; h { # * X “Software”G“Business Sales”Df z# ’(Publishing,Sales)’ ’(Publishing,Support)’ ; h { # = i 5 < | , * X “Publishing”# ’Corporate’ ’Development’ ;h{#y5GyPd{5Df z# ’()’ ’Sales’ h{#U5a;NNGU5h {# ’Home Sales’ ’()’ ;h{#U5;ah{NN5# ’()’ ’()’ ;h{#U5;ah{NN5# Publishing Software Development Support Business Sales Home Sales Sales Corporate 158 }]b2+T8O DB2LBACREADARRAY >} b)>}vJCZACJ#b)>}Y(5tZ`M* ARRAY Di~,Ci~|,4 TB==EPDBP*X: m 12. DB2LBACREADARRAY frD&C>} C'D5 #$5 Gqh{ACJ? “Secret” “Employee” ;h{#*X“Secret”_Z*X“Employee”# “Secret” “Secret” ;h{#5`,# “Secret” “Top Secret” h{#*X“Top Secret”_Z*X“Secret”# ’()’ ’Public’ h{#U5a;NNGU5h{# ’Public’ ’()’ ;h{#U5;ah{NN5# ’()’ ’()’ ;h{#U5;ah{NN5# DB2LBACWRITEARRAY >} b)>}vJCZ4CJ#b)>}Y(5tZ`M* ARRAY Di~,Ci~|,4 TB==EPDBP*X: m 13. DB2LBACWRITEARRAY frD&C>} C'D5 #$5 Gqh{4CJ? “Secret” “Employee” h{#*X“Employee”MZ*X“Secret”# “Secret” “Secret” ;h{#5`,# “Secret” “Top Secret” h{#*X“Top Secret”_Z*X“Secret”# ’()’ ’Public’ h{#U5a;NNGU5h{# Secret Employee Top Secret Public ÉÊ ÉË Secret Employee Top Secret Public ÉÊ ÉË Z 5 B yZj)DCJXF (LBAC) 159 m 13. DB2LBACWRITEARRAY frD&C>} (x) C'D5 #$5 Gqh{4CJ? ’Public’ ’()’ ;h{#U5;ah{NN5# ’()’ ’()’ ;h{#U5;ah{NN5# LBAC frb}( g{z5PX(2+_TDX(frD LBAC frb}(,G41z"TCJ\C2+ _T#$D}]1,M;a?F5)Cfr# ZHONN2+_TD2+jE1,g{C2+_T;GZhb}(1ykTD2+ _T,Cb}(;pwC# >}: P=vm:T1 M T2#T1 \2+_T P1 #$,T2 G\2+_T P2 #$#=v2 +_T}:m T1 P=P,Z;PD}]`M* DB2SECURITYLABEL,Z~PD}]`M * INTEGER#T1 \2+_T P1 #$,K2+_TP}v2+jEi~: level"departments M groups#g{ UNCLASSIFIED Gi~ level D*X,ALPHA M SIGMA }:m T1 P=P,Z;PD}]`M* DB2SECURITYLABEL,Z~PD}]`M * INTEGER#{* L1 D2+jEG2+_T P1 D;?V#TB SQL odekC 2+jE: INSERT INTO T1 VALUES ( SECLABEL_BY_NAME( ’P1’, ’L1’ ), 22 ) K SQL od^(}#KP: INSERT INTO T1 VALUES ( P1.L1, 22 ) // Syntax Error! SECLABEL_TO_CHAR KZC/}5X2+jEy|,D5DV{.m># >}:m T1 PDP C1 D}]`M* DB2SECURITYLABEL#T1 \2+_T P1 # $,K2+_TP}v2+jEi~:level"departments M groups#T1 |,;P,T Z?vi~,P C1 PD5|,BP*X: i~ *X level SECRET departments DELTA M SIGMA groups G3 Z 5 B yZj)DCJXF (LBAC) 161 5PJmA!CPD LBAC >$DC'4PTB SQL od: SELECT SECLABEL_TO_CHAR( ’P1’, C1 ) AS C1 FROM T1 dvgBy>: C1 ’SECRET:(DELTA,SIGMA):G3’ 9C LBAC 4#$}] yZj)DCJXF (LBAC) ITCZ#$}]PM/r}]P#mPD}];\I#$ CmD2+_Ty|,D2+jE#$#ITZ4(m1xP}]#$$w(|(m S2+_T),Ts2IT(}Ddm44PK$w# ITZ,;v CREATE TABLE r ALTER TABLE odPTmmS2+_TT0# $CmPD}]# w*_},;JmT10 LBAC >$;Jm4}]D==4#$C}]# TmmS2+_T 4(m1,IT9C CREATE TABLE odD SECURITY POLICY Sd4rmmS 2+_T#IT9C ALTER TABLE odD ADD SECURITY POLICY Sd4rV PmmS2+_T#z;h*_P SECADM (^r5P LBAC >$MITTmmS 2+_T# ;\T LBAC ^(#$Dm`MmS2+_T#kND LBAC EvTq! LBAC ^ (#$Dm`MDPm# ;\+;vTO2+_TmSxNNm# #$P Z4(m1,IT(}|(}]`M* DB2SECURITYLABEL DP4JmBmPDP \#$#CREATE TABLE od9XkTCmmS2+_T#z;h*_P SECADM (^r5PNN LBAC >$MIT4(byDm# IT(}mS}]`M* DB2SECURITYLABEL DP4JmVPmPDP\#$#* mSbyDP,CmXkQ\2+_T#$,qrmSPD ALTER TABLE od9X kTCmmS2+_T#ZmSP.s,+9CJmxP4CJD2+jE4#$y PQfZDP#g{CZ#$CmD2+_T4|,JmxP4CJD2+jE,G 4^(mS}]`M* DB2SECURITYLABEL DP# Zm|, DB2SECURITYLABEL `MDP.s,(}ZCPPf"2+jE4#$? vB}]P#ZPXekM|B\ LBAC #$D}]DwbP,hvKPXKYw$w = = D j8E " # z X k * P LBAC > $ E \ + P e k = | , ` M * DB2SECURITYLABEL DPDmP# ;\>}}]`M* DB2SECURITYLABEL DP,2;\+d|D*NNd{}]` M# 162 }]b2+T8O #$P Z4(m1,IT9C CREATE TABLE odD SECURED WITH P!n4#$P# IT(}Z ALTER TABLE odP9C SECURED WITH !n4TVPDPmS# $# *#$_PX(2+jEDP,zXk*PJmTC2+jEy#$D}]4P4Y wD LBAC >$#z;h*_P SECADM (^# P;\I#$CmD2+_Ty|,D2+jE#$#^(#$;P2+_TDmP DP#JmZ,;vodP#$xP2+_TDm"#$;Pr`P# IT#$mPNb}?DP,+G;vP;\I;v2+jE#$# A!\ LBAC #$D}] 1"TA!\yZjEDCJXF (LBAC) #$D}]1,+QAYw LBAC >$k #$C}]D2+jEwHO#g{#$}]DjE4h{zD>$,MaJmzA !C}]# TZ\#$P45,#$2+jEGZmD#=P(eD#TZmPD?;P,CP D#$2+jE$gNk2+jExP HODj8E"# A!\#$DP Z"TA!\#$DP1,LBAC >$+kCZ#$CPD2+jEwHO#y]HO a{D;,,CJ+;h{rJm#g{CJ;h{,Ma5Xms,"Rod+' \#qr,Cod}#XLx4P# "TA! LBAC >$;JmA!DP+}: m T1 P=v\#$DP#P C1 \2+jE L1 #$#P C2 \2+jE L2 #$# Y(C' Jyoti 5PAYw LBAC >$,C>$JmCJ2+jE L1,+;JmCJ L2#g{ Jyoti "vTB SQL od,Kod+'\: SELECT * FROM T1 IZ SELECT Sd8(K(d{(*),rK|+|( C2 P,yTKod'\# g{ Jyoti "vTB SQL od,KodMaI&: SELECT C1 FROM T1 Z SELECT SdP,(;\#$DPG C1,Jyoti D LBAC >$Jm}A!CP# A!\#$DP g{z;PJmA!3;PD LBAC >$,G4CPTZz45MCq;fZ;y# Z 5 B yZj)DCJXF (LBAC) 163 A!\#$DP1,+;5X LBAC >$JmxPACJDG)P#49Z SELECT SdP48(`M* DB2SECURITYLABEL DP,iv`gK# y] LBAC >$D;,,;,DC'Z|,\#$PDmPI\a4=;,DP#} g,g{ T1 |,\#$P,+GP=vC'5P;,D LBAC >$,G4b=v4 P SELECT COUNT(*) FROM T1 odDC'I\aqC;,Da{# LBAC >$;v0l SELECT od,90lng UPDATE M DELETE .`Dd{ SQL od#g{z;PJmA!3;PD LBAC >$,M^(0lCP# >}: m T1 | , B P P M P # P ROWSECURITYLABEL D } ] ` M * DB2SECURITYLABEL# m 14. m T1 PD>}5 LASTNAME DEPTNO ROWSECURITYLABEL Rjaibi 55 L2 Miller 77 L1 Fielding 11 L3 Bird 55 L2 Y(C' Dan D LBAC >$Jm{A!\2+jE L1 #$D}],+;Jm{A! \ L2 r L3 #$D}]# Dan "vTB SQL od: SELECT * FROM T1 K SELECT od+;5X Miller G;P#;a5XNNms{"r/f# Dan 4=Dm T1 GbyD: m 15. m T1 DS}5 LASTNAME DEPTNO ROWSECURITYLABEL Miller 77 L1 TZ Rjaibi"Fielding M Bird b}P45,IZ|GD2+jEh{KACJ,yT; a5Xb}P#Dan ^(>}r|Bb)P#b)P2;a|(ZNN[//}P#T Z Dan 45,MCqGG)P;fZ;y# Dan "vTB SQL od: SELECT COUNT(*) FROM T1 IZC' Dan ;\A! Miller G;P,yTKod+5X5 1# A!|,\#$PD\#$P HliPCJ(,sliPCJ(#g{ACJYw LBAC >$;C4#$dP;vy !PD2+jEh{,G4{vod+'\#qr,Cod+Lx4P,"R;5X LBAC >$JmxPACJD2+jEy#$DP# 164 }]b2+T8O >} m T1 DP LASTNAME \2+jE L1 #$#P DEPTNO \2+jE L2 #$# P ROWSECURITYLABEL D}]`M* DB2SECURITYLABEL#T1 0d}]gBy >: m 16. m T1 PD>}5 LASTNAME \ L1 #$ DEPTNO \ L2 #$ ROWSECURITYLABEL Rjaibi 55 L2 Miller 77 L1 Fielding 11 L3 Y(C' Sakari D LBAC >$JmA!\2+jE L1 #$D}],+;JmA!\ L2 r L3 #$D}]# Sakari "vTB SQL od: SELECT * FROM T1 IZ SELECT Sd9CK(d{(*),b$;Jm}A!C2+jE# Sakari SE"vTB SQL od: SELECT LASTNAME, ROWSECURITYLABEL FROM T1 SELECT Sd4|( Sakari ^(A!DNNP,rKKod+Lx4P#+G,;5 X;P,bGr*d{?;P<\2+jE L2 r L3 #$# m 17. Tm T1 4Pi/D>}dv LASTNAME ROWSECURITYLABEL Miller L1 ek\ LBAC #$D}] 1"T+}]ek=\#$PPr+BPek=_P\#$PDmP1,LBAC >$a 7(gN&mC INSERT od# ek=\#$DPP 1"T+}]ek=\#$PP1,a+CZ4YwD LBAC >$kCZ#$CPD2 +jExPHO#y]HOa{D;,,CJ+;h{rJm# ZPXgNHO LBAC 2+jEDwbPa)KPXgNHO=v2+jEDj8E "# g{CJ;Jm,G4Cod}#XLx4P#g{CJ;h{,ekMa'\," R+5Xms# Z 5 B yZj)DCJXF (LBAC) 165 g{}Zek;P,+4a)\#$PD5,G4+ek1!5(g{P1!5)# 49zD LBAC >$;JmTCPxP4CJ,2a"zbViv#ZBPivB,P 1!5: v ywCP18(K WITH DEFAULT !n v CPGzIP v CP_P(}0%"wzID1!5 v CPD}]`M* DB2SECURITYLABEL,ZKivB,z5PD4CJ2+jEG 1!5 ek=\#$DPP rxP\#$PDmPekBP1,;X* DB2SECURITYLABEL `MDPa)5# g{;P*CPa)5,G4CP+T/ndz5PD4CJ2+jE#g{z;P 4CJ2+jE,Ma5Xms,"RekYw'\# (}9CZC/}(}g SECLABEL),ITT=Xa)2+jET+dek= DB2SECURITYLABEL `MDPP#+G,TZz}Z"TekD2+jEy#$D} ],v1zD LBAC >$Jm4C}]1,Ea9Ca)D2+jE# g{za)K^(4kD2+jE,G4a{+!vZCZ#$mD2+_T#g{ C2+_T_P RESTRICT NOT AUTHORIZED WRITE SECURITY LABEL !n, G4ekYw+'\"5Xms#g{C2+_T;P RESTRICT NOT AUTHO- RIZED WRITE SECURITY LABEL !n,r_|_P OVERRIDE NOT AUTHO- RIZED WRITE SECURITY LABEL !n,G4+vTza)D2+jE,g{z_P 4CJ2+jE,G4+9CK2+jE#g{z;P4CJ2+jE,Ma5Xm s# >} m T1 \{* P1 D2+_T#$,4(C2+_T148( RESTRICT NOT AUTHO- RIZED WRITE SECURITY LABEL !n#m T1 |,=P,+4|,NNP#b=P * LASTNAME M LABEL#P LABEL D}]`M* DB2SECURITYLABEL# C' Joe 5P4CJ2+jE L2#Y(2+jE L2 Jm{T\2+jE L2 #$D }]4P4Yw,+G;Jm{T\2+jE L1 r L3 #$D}]4P4Yw# Joe "vTB SQL od: INSERT INTO T1 (LASTNAME, DEPTNO) VALUES (’Rjaibi’, 11) r* INSERT od4|,NN2+jE,yT+Z LABEL PPek Joe D4CJ2 +jE# VZ,m T1 gBy>: m 18. >}m T1 PZ;v INSERT odsD5 LASTNAME LABEL Rjaibi L2 Joe "vTB SQL od,{ZC SQL odPT=Xa)K*ek=P LABEL PD 2+jE: 166 }]b2+T8O INSERT INTO T1 VALUES (’Miller’, SECLABEL_BY_NAME(’P1’, ’L1’) ) KodPD SECLABEL_BY_NAME /}5X;v2+jE,C2+jE{* L1,| G2+_T P1 DiI?V#IZ4Jm Joe T L1 #$D}]4P4Yw,rK;J m{+ L1 ekP LABEL P# r*CZ#$ T1 D2+_TGZ48( RESTRICT NOT AUTHORIZED WRITE SECURITY LABEL !nDivB4(D,yTekK Joe 5PD4CJ2+jE#; a5XNNmsr{"# VZ,CmgBy>: m 19. >}m T1 PZ~v INSERT odsD5 LASTNAME LABEL Rjaibi L2 Miller L2 g{CZ#$CmD2+_TGZ8(K RESTRICT NOT AUTHORIZED WRITE SECURITY LABEL !nDivB4(D,G4ekYwMa'\,"R+5Xms# SE,Joe ;ZhTdP;v LBAC frDb}(#Y(BD LBAC >$Jm{T\ 2+jE L1 M L2 #$D}]4P4Yw#Zh Joe D4CJ2+jE;d,TG L2# Joe "vTB SQL od: INSERT INTO T1 VALUES (’Bird’, SECLABEL_BY_NAME(’P1’, ’L1’) ) BD LBAC >$9 Joe \;T\2+jE L1 #$D}]4P4Yw#rK,Jme k L1#VZ,CmgBy>: m 20. >}m T1 PZ}v INSERT odsD5 LASTNAME LABEL Rjaibi L2 Miller L2 Bird L1 |B\ LBAC #$D}] LBAC >$XkJmT}]xP4CJ,byE\|BC}]#g{*|B\#$D P,G4 LBAC >$9XkJmTCPxPACJ# |B\#$DP Z"T|B\#$PPD}]1,LBAC >$+kCZ#$CPD2+jEwHO#K HOGkT4CJxPD#g{4CJ;h{,Ma5Xms,"Rod'\,qr LxxP|B# ZPXgNHO LBAC 2+jEDwbPa)KPX LBAC >$gNk2+jExP HODj8E"# Z 5 B yZj)DCJXF (LBAC) 167 >}: Y(P;vm T1,dPDP DEPTNO \2+jE L2 #$,xP PAYSCALE \2 +jE L3 #$#T1 T0|D}]gBy>: m 21. m T1 EMPNO LASTNAME DEPTNO #$_ L2 PAYSCALE #$_ L3 1 Rjaibi 11 4 2 Miller 11 7 3 Bird 11 9 C' Lhakpa ;P LBAC >$#{"vTB SQL od: UPDATE T1 SET EMPNO = 4 WHERE LASTNAME = "Bird" IZKod4|BNN\#$DP,yT|D4P;avm#VZ,T1 gBy>: m 22. |B.sDm T1 EMPNO LASTNAME DEPTNO #$_ L2 PAYSCALE #$_ L3 1 Rjaibi 11 4 2 Miller 11 7 4 Bird 11 9 Lhakpa SE"vTB SQL od: UPDATE T1 SET DEPTNO = 55 WHERE LASTNAME = "Miller" IZ DEPTNO \#$,"R Lhakpa ;P LBAC >$,yTKod'\"5Xms# Y( Lhakpa ;Zh LBAC >$,"RG) LBAC >$JmxPBmE(DCJ#T Z>>}45,PXG)>$G24T02+jEy|,D*X.`Dj8E""; X*# CZ#$}]D2+jE GqIA? GqI4? L2 q G L3 qq Lhakpa YN"vTB SQL od: UPDATE T1 SET DEPTNO = 55 WHERE LASTNAME = "Miller" 168 }]b2+T8O bN,IZ Lhakpa D LBAC >$Jm{TCZ#$ DEPTNO PD2+jEy#$ D}]4P4Yw,yTCod\;jI4P"R;avm#{\qA!CP";X *#VZ,T1 PD}]GbyD: m 23. Z~N|B.sDm T1 EMPNO LASTNAME DEPTNO #$_ L2 PAYSCALE #$_ L3 1 Rjaibi 11 4 2 Miller 55 7 4 Bird 11 9 SE,Lhakpa "vTB SQL od: UPDATE T1 SET DEPTNO = 55, PAYSCALE = 4 WHERE LASTNAME = "Bird" PAYSCALE P\2+jE L3 #$,Lhakpa D LBAC >$;Jm{4CP#IZ Lhakpa ^(4CP,yT|B+'\,;a|DNN}]# |B\#$DP g{ LBAC >$;JmzA!3;P,G4CPTz45MCq;fZ;y,rK^( |BCP#TZ\;ADP45,z9Xk\;4kCP,byE\|BCP# Z"T|BP1,4Yw LBAC >$+k#$CPD2+jEwHO#g{4CJ;h {,G4|BMa'\,"R+5Xms#g{4CJ4;h{,G4+LxxP| B# }K&m}]`M* DB2SECURITYLABEL DPD==Py;,Tb,4PD|Bk |B4\#$DP`,#g{4T=XhCCPD5,MaT/+|hC*\z5P D4CJ2+jE#$#g{z;P4CJ2+jE,Ma5Xms,"Rod+' \# g{|BYwT=XhC}]`M* DB2SECURITYLABEL DP,G4+YNli LBAC >$#g{"T4PD|BYw+4(10 LBAC >$;Jm4kDP,G4 a{+!vZCZ#$mD2+_T#g{C2+_T_P RESTRICT NOT AUTHO- RIZED WRITE SECURITY LABEL !n,G4|BYw+'\"5Xms#g{C2 +_T;P RESTRICT NOT AUTHORIZED WRITE SECURITY LABEL !n,r_ |_P OVERRIDE NOT AUTHORIZED WRITE SECURITY LABEL !n,G4+v Tza)D2+jE,g{z_P4CJ2+jE,G4+9CK2+jE#g{z ;P4CJ2+jE,Ma5Xms# >}: Y(m T1 \{* P1 D2+_T#$"|,{* LABEL DP,CPD}]`M* DB2SECURITYLABEL# T1 T0|D}]gBy>: Z 5 B yZj)DCJXF (LBAC) 169 m 24. m T1 EMPNO LASTNAME DEPTNO LABEL 1 Rjaibi 11 L1 2 Miller 11 L2 3 Bird 11 L3 Y(C' Jenni D LBAC >$Jm}A4\2+jE L0 M L1 #$D}],+;J m}A4\NNd{2+jE#$D}]#Jm}4PA4YwD2+jEG L0#TZ >>}45,PX}Dj+>$G24T02+jE|,D*X.`Dj8E""; X*# Jenni "vTB SQL od: SELECT * FROM T1 Jenni ;4=mPD;P: m 25. Jenni D SELECT i/a{ EMPNO LASTNAME DEPTNO LABEL 1 Rjaibi 11 L1 IZ Jenni D LBAC >$;Jm}A!\jE L2 M L3 #$DP,yTG)P4| (Za{/P#TZ Jenni 45,MCqGG)P;fZ;y# Jenni "vBP SQL od: UPDATE T1 SET DEPTNO = 44 WHERE DEPTNO = 11; SELECT * FROM T1; i/5XDa{/gBy>: m 26. Jenni D UPDATE M SELECT i/a{ EMPNO LASTNAME DEPTNO LABEL 1 Rjaibi 44 L0 mPD5J}]gBy>: m 27. m T1 EMPNO LASTNAME DEPTNO LABEL 1 Rjaibi 44 L0 2 Miller 11 L2 3 Bird 11 L3 CodD4P;avm,+;0lZ;P#IZ Jenni ^(AZ~PMZ}P,rK, !\|Gzc WHERE SdPDu~,Cod2;a!q|G4xP|B# "b,!\Z UPDATE odP4T=XhC LABEL P,+Z|BsDPP,CPD 5Q|D#CPQ;hC* Jenni 5PD4Yw2+jE# 170 }]b2+T8O VZ,Jenni ;Zh LBAC >$,K>$Jm}A!\NN2+jE#$D}]#}D 4Yw LBAC >$4|D#}T;;\;4\ L0 M L1 #$D}]# Jenni YN"vTB SQL od: UPDATE T1 SET DEPTNO = 44 WHERE DEPTNO = 11 bN,|BYwIZZ~PMZ}Px'\#Jenni \;AG)P,rKCod!qKG )PTTdxP|B#+G,IZG)P\2+jE L2 M L3 #$,yT}^(4G )P#|BYw;4P,"R+5Xms# VZ,Jenni "vTB SQL od: UPDATE T1 SET DEPTNO = 55, LABEL = SECLABEL_BY_NAME( ’P1’, ’L2’ ) WHERE LASTNAME = "Rjaibi" CodPD SECLABEL_BY_NAME /}5XK{* L2 D2+jE#Jenni "TT= XhCCZ#$Z;PD2+jE#Jenni D LBAC >$Jm}A!Z;P,rK+! qCPTTdxP|B#}D LBAC >$Jm}4\2+jE L0 #$DP,rKJ m}|BCP#+G,}D LBAC >$;Jm}4\2+jE L2 #$DP,rK; Jm}+ LABEL PhC*C5#Cod+'\,"R+5Xms#;a|BCPPD NNP# VZ,Jenni "vTB SQL od: UPDATE T1 SET LABEL = SECLABEL_BY_NAME( ’P1’, ’L1’ ) WHERE LASTNAME = "Rjaibi" IZ}\;4\2+jE L1 #$DP,yTCod+I&# VZ,T1 gBy>: m 28. m T1 EMPNO LASTNAME DEPTNO LABEL 1 Rjaibi 44 L1 2 Miller 11 L2 3 Bird 11 L3 |B|,\#$PD\#$P g{"T|B|,\#$PDmPD\#$P,zD LBAC >$MXkJm4yP\C |BYw0lD\#$P,qr|BYw+'\,"R+5Xms#ZH0PX|B \#$DP;ZPhvKbViv#49Jm|ByP\|BYw0lD\#$P, 2T;;\;|B LBAC >$HJmA2Jm4DP#ZH0PX|B\#$DP;Z P h v K b V i v # ^ [ | B Y w G q 0 l \ # $ D P , T } ] ` M * DB2SECURITYLABEL DPD&m==mG\#$P,G4 LBAC >$Xk Jmz4CP,qr^(|BmPNNDP# >}\ LBAC #$D}] \q>}\ LBAC #$DmPD}]!vZ LBAC >$# Z 5 B yZj)DCJXF (LBAC) 171 >}\#$DP g{ LBAC >$;JmzA3;P,G4CPTz45MCq;fZ;y,rK^(> }CP#*>}z\;A!DP,zD LBAC >$9XkJmz4CP#*>}mPN NxP\#$PDP,zXk5PJmz4CmPDyP\#$PD LBAC >$# Z"T>}P1,4Yw LBAC >$+k#$CPD2+jEwHO#g{#$2+j Eh{K LBAC >$ZhD4CJ(,DELETE odMa'\,5Xms,"R;> }NNP# >} \#$Dm T1 |,BPwP: LASTNAME DEPTNO LABEL Rjaibi 55 L2 Miller 77 L1 Bird 55 L2 Fielding 77 L3 Y(C' Pat D LBAC >$Jm}xPBmyiIDCJ: 2+jE GqJmACJ? GqJm4CJ? L1 GG L2 G q L3 qq TZ>>},}D LBAC >$T02+jED7Pj8E"";X*# Pat "vTB SQL od: SELECT * FROM T1 WHERE DEPTNO != 999 Cod4P"5XTBa{/: LASTNAME DEPTNO LABEL Rjaibi 55 L2 Miller 77 L1 Bird 55 L2 IZ Pat ^(A! T1 Dns;P,yTCP4|(Za{P#TZ Pat 4 5,CPMq;fZ;y# Pat "vTB SQL od: DELETE FROM T1 WHERE DEPTNO != 999 Pat ^(4Z;PMZ}P,b=P<\ L2 #$#rK,!\}ITA!b) P,+}^(>}b)P#DELETE od+'\,;a>}NNP# Pat "vTB SQL od: DELETE FROM T1 WHERE DEPTNO = 77; 172 }]b2+T8O IZ Pat \;4 LASTNAME P|, Miller DG;P,yTKodI&#b MGCod!qD(;;P#IZ Pat D LBAC >$;Jm}A! LASTNAME P|, Fielding DG;P,yT4!qCP#IZv;a>}C P,yT;a"zms# VZ,Cm5J|,BPwP: LASTNAME DEPTNO LABEL Rjaibi 55 L2 Bird 55 L2 Fielding 77 L3 >}xP\#$PDP *>}mPNNxP\#$PDP,zXk5PJmz4CmPDyP\#$PD LBAC >$#g{ LBAC >$;Jmz4CmPDNNP,>}YwMa'\,"R +5Xms# g{CmH|,\#$P2|,\#$P,G4*K>}X(DP,zXk5PJm z4CmPD?v\#$PT0A4y*>}DPD LBAC >$# >} Z\#$Dm T1 P,P DEPTNO \2+jE L2 #$#T1 |,BPwP: LASTNAME DEPTNO \ L2 #$ LABEL Rjaibi 55 L2 Miller 77 L1 Bird 55 L2 Fielding 77 L3 Y(C' Benny D LBAC >$Jm{xPBmPE(DCJ: 2+jE GqJmACJ? GqJm4CJ? L1 GG L2 G q L3 qq TZ>>},{D LBAC >$T02+jED7Pj8E"";X*# Benny "vTB SQL od: DELETE FROM T1 WHERE DEPTNO = 77 IZ Benny ^(4 DEPTNO P,yTKod+'\# VZ,Benny D LBAC >$Q|D,{ITxPBmyE(DCJ: 2+jE GqJmACJ? GqJm4CJ? L1 GG Z 5 B yZj)DCJXF (LBAC) 173 2+jE GqJmACJ? GqJm4CJ? L2 GG L3 G q Benny YN"vTB SQL od: DELETE FROM T1 WHERE DEPTNO = 77 b;N,Benny P(4 DEPTNO P,rK>}Yw+Lx4P#DELETE o d+;!q LASTNAME P5* Miller DP#IZ Benny D LBAC >$; Jm{A! LASTNAME P|, Fielding 5DG;P,yT4!qCP#IZ Kod4!q>}CP,rK,!\ Benny ^(4CP,+;avm# !qDG;P\2+jE L1 #$#Benny D LBAC >$Jm{4\ L1 # $D}],rK>}I&# VZ,T1 m5J|,BPwP: LASTNAME DEPTNO \ L2 #$ LABEL Rjaibi 55 L2 Bird 55 L2 Fielding 77 L3 >}\#$D}] }G LBAC >$Jm4\2+jE#$DP,qr^(>}CP# ^(SmP>}}]`M* DB2SECURITYLABEL DP#*}%|,WHXkSmP >}2+_T#>}2+_Ts,Cm;Y\ LBAC #$,"RPD}]`MaT/S DB2SECURITYLABEL |D* VARCHAR(128) FOR BIT DATA#;sIT>}CP# LBAC >$";{9>}{v|,\#$}]Dmr}]b#g{zZ}#ivBP( >}mr}]b,G4;h*NN LBAC >$MIT4PCYw,49C}]b|,\ #$}]`gK# S}]P}% LBAC #$ zXk_P SECADM (^E\SmP}%2+_T#*SmP}%2+_T,I9C ALTER TABLE odD DROP SECURITY POLICY Sd#b9aT/}%TmDy PPMyPPD#$# }%TPD#$ Z|,\#$PDmP,?;P$# Z 5 B yZj)DCJXF (LBAC) 175 176 }]b2+T8O Z 6 B +53?XZC'5PDX("ZhX(DC'j6MTsyP(DE ": SYSCAT.COLAUTH P>PDX( SYSCAT.DBAUTH P>}]bX( SYSCAT.INDEXAUTH P>w}X( SYSCAT.MODULEAUTH P>#iX( SYSCAT.PACKAGEAUTH P>Lr|X( SYSCAT.PASSTHRUAUTH P>~qwX( SYSCAT.ROLEAUTH P>G+X( SYSCAT.ROUTINEAUTH P>}L(/}"=(Mf"}L)X( SYSCAT.SCHEMAAUTH P>#=X( SYSCAT.SEQUENCEAUTH P>rPX( SYSCAT.SURROGATEAUTHIDS P>m;vZ(j6Id1dzmDZ(j6# SYSCAT.TABAUTH P>mMSmUdX( SYSCAT.VARIABLEAUTH P>d?X( SYSCAT.WORKLOADAUTH P>$w:XX( SYSCAT.XSROBJECTAUTH P> XSR TsX( © Copyright IBM Corp. 2013 177 53ZhC'DX(+C SYSIBM w*Z(_#SYSADM"SYSMAINT SYSCTRL M SYSMON 4Z53?# CREATE M GRANT odZ53?{GD`M: SELECT AUTHID, AUTHIDTYPE FROM SYSIBMADM.AUTHORIZATIONIDS 9 I T 9 C SYSIBMADM.OBJECTOWNERS \ m S < M SYSPROC.AUTH_LIST_GROUPS_FOR_AUTHID m/}4iRk2+T`XDE"# Z V9.1 .0,;P%v53?,TBodlw_PX(DyP(^{: SELECT DISTINCT GRANTEE, GRANTEETYPE, ’DATABASE’ FROM SYSCAT.DBAUTH UNION SELECT DISTINCT GRANTEE, GRANTEETYPE, ’TABLE ’ FROM SYSCAT.TABAUTH UNION SELECT DISTINCT GRANTEE, GRANTEETYPE, ’PACKAGE ’ FROM SYSCAT.PACKAGEAUTH UNION SELECT DISTINCT GRANTEE, GRANTEETYPE, ’INDEX ’ FROM SYSCAT.INDEXAUTH UNION SELECT DISTINCT GRANTEE, GRANTEETYPE, ’COLUMN ’ FROM SYSCAT.COLAUTH UNION SELECT DISTINCT GRANTEE, GRANTEETYPE, ’SCHEMA ’ FROM SYSCAT.SCHEMAAUTH UNION SELECT DISTINCT GRANTEE, GRANTEETYPE, ’SERVER ’ FROM SYSCAT.PASSTHRUAUTH ORDER BY GRANTEE, GRANTEETYPE, 3 &(Z+Kodlw=DPmk532+T$_P(eDC'{Mi{DPmHO# ;s,ITj6;YP'DG)Z({# ":g{z'V6L}]bM'z,PI\;Z6LM'z(eKKZ({,x;P Z}]b~qwO(e# {C DBADM (^4lwyP{F gBodlw;1SZh DBADM (^DyPZ({: 178 }]b2+T8O XZKNq SELECT DISTINCT GRANTEE, GRANTEETYPE FROM SYSCAT.DBAUTH WHERE DBADMAUTH = ’Y’ lwP(CJmD{F IT9C PRIVILEGES Md{\mS<4lwXZ}]bPQZhX(D(^{DE "# XZKNq TBodlw;1SZ(CJ_P^({ JAMES Dm EMPLOYEE DyP(^{(0 d`M): SELECT DISTINCT AUTHID, AUTHIDTYPE FROM SYSIBMADM.PRIVILEGES WHERE OBJECTNAME = ’EMPLOYEE’ AND OBJECTSCHEMA = ’JAMES’ TZ V9.1 .0Df>,TBi/lw`,DE": SELECT DISTINCT GRANTEETYPE, GRANTEE FROM SYSCAT.TABAUTH WHERE TABNAME = ’EMPLOYEE’ AND TABSCHEMA = ’JAMES’ UNION SELECT DISTINCT GRANTEETYPE, GRANTEE FROM SYSCAT.COLAUTH WHERE TABNAME = ’EMPLOYEE’ AND TABSCHEMA = ’JAMES’ *Kb-IT|B_P^({ JAME Dm EMPLOYEE,"vgBod: SELECT DISTINCT GRANTEETYPE, GRANTEE FROM SYSCAT.TABAUTH WHERE TABNAME = ’EMPLOYEE’ AND TABSCHEMA = ’JAMES’ AND (CONTROLAUTH = ’Y’ OR UPDATEAUTH IN (’G’,’Y’)) UNION SELECT DISTINCT GRANTEETYPE, GRANTEE FROM SYSCAT.DBAUTH WHERE DBADMAUTH = ’Y’ UNION SELECT DISTINCT GRANTEETYPE, GRANTEE FROM SYSCAT.COLAUTH WHERE TABNAME = ’EMPLOYEE’ AND TABSCHEMA = ’JAMES’ AND PRIVTYPE = ’U’ TOodlw_P DBADM (^DNNZ({,T0;1SZh CONTROL r UPDATE X(DG){F# G!3)Z({ITGi,x;;GvpC'# lwZhC'DyPX( (}Z53?,BP>}a)`FE"#}g,TBodlwQ1SZhvp (^{ JAMES D}]bX(DPm: SELECT * FROM SYSCAT.DBAUTH WHERE GRANTEE = ’JAMES’ AND GRANTEETYPE = ’U’ TBodlwIC' JAMES 1SZhDmX(DPm: SELECT * FROM SYSCAT.TABAUTH WHERE GRANTOR = ’JAMES’ TBodlwIC' JAMES 1SZhDvpPX(DPm: SELECT * FROM SYSCAT.COLAUTH WHERE GRANTOR = ’JAMES’ #$53?,Z4(}]bZd,a+T53?mD SELECT X(: REVOKE SELECT ON TABLE SYSCAT.TABAUTH FROM PUBLIC REVOKE SELECT ON TABLE SYSIBM.SYSTABAUTH FROM PUBLIC 182 }]b2+T8O Z 7 B @p='V @p=G;i`XDLr,;ZxgxX~qwO,C4@9T53rxXxP4Z (DCJ# PDV`MD@p=: 1. xg6p"|}KwrAN7Iw@p= 2. dM&CLr6pzm@p= 3. g76pr8wzm@p= 4. P4,D`cli (SMLI) @p= fZVP@p=z7,|O"TOP>DdP;V`MD@p=#Pm`O"TOP >D`MiODd{@p=z7# AN7Iw@p= AN7Iw@p=2F*xg6prE"|}Kw@p=#bV@p=D$w==G y]-itTANkVE"|#AND-itTI\|(4r?jX7"-i`M" 4r?jKZr3)d{X(Z-iDtT# TZyP@p=bv=8(SOCKS }b),zh*7# DB2 }]b9CDyPKZT kVMvVE"|*E#DB2 }]b+KZ 523 CZ DB2 \m~qw(DAS),K DAS I DB2 }]b$_9C#(}9C services D~+~qw}]b\mwdCD ~PD~q{F3dAdKZE47(yP~qw5}9CDKZ# &CLrzm@p= zmrzm~qwG;V}G SOCKS# DB2 }]b53'V SOCKS V4# © Copyright IBM Corp. 2013 183 P4,D`cli (SMLI) @p= P4,D`cli (SMLI) @p=9CE"|}KDjFN=4liiI“*E=53% ,”(OSI)#MDyP_c# li?;vE"|"kQCDE"|DQ*4,xPHO#AN7Iw@p=;li E"|7,x SMLI @p=ali{vE"|,|(}]# 184 }]b2+T8O Z 8 B 2+e~ DB2 }]b53DO$G9C2+e~4jID#2+e~GI/,0kDb,Cba )O$2+~q# ilwe~ lwX(C'DiI1JqE"# C'j6/\kO$e~ BPO$`MG9CC'j6M\kO$e~5VD: v CLIENT v SERVER v SERVER_ENCRYPT v DATA_ENCRYPT v DATA_ENCRYPT_CMP b)O$`M7(gNxPT0ZN&xPC'O$#y9CDO$`MIT B=(7(: v TZ,SYw,g{T srvcon_auth dCN}8(5,G4C5EHZ authentication dCN}D5# v ZyPd{ivB,+9C authentication dCN}D5# GSS-API O$e~ GSS-API D}={F* Generic Security Service Application Program Interface V2 (IETF RFC2743) M Generic Security Service API V2: C-Bindings (IETF RFC2744)#Kerberos -iG5V GSS-API O$zFDw*VN#BPO$` MG9C GSS-API O$e~5VD: v KERBEROS v GSSPLUGIN v KRB_SERVER_ENCRYPT v GSS_SERVER_ENCRYPT KRB_SERVER_ENCRYPT M GSS_SERVER_ENCRYPT <'V GSS-API O$MC'j 6/\kO$#+G,GSS-API O$GW!O$`M#M'K Kerberos 'VZ Solaris"AIX"HP-UX(v 64 ;)"Windows M Linux Yw53OIC#T Z Windows Yw53,1!ivBatC Kerberos 'V# DB2 }]b\mwZM'zM~qwO'Vb)e~# ":O$`M7(gNO$T0ZN&O$C'#*9CX(O$`M,khC authen- tication }]b\mwdCN}D5# I@"9C?ve~rkd{e~dO9C#}g,I9CX(~qwKO$e~, +S\M'zMiO$D DB2 1!5#r_,zI\;PilwrM'zO$e~, x;P~qwKe~# g{*9C GSS-API O$,G4M'zM~qwOXZ(# 5VK>6Dn#{=(G: v + srvcon_auth dCN}hC* GSSPLUGIN;" v + authentication dCN}hC* SERVER# ÔÕ/×Ø ÙÚÛo Kerberos GSS API- ÙÚÛo - ÙÚÛo GSS API FÛo DB2 ÙÚ yzÝ Ûoº» < 5. Z DB2 M'zO?p2+e~ 186 }]b2+T8O srvcon_auth dCN}G2GkV,S9CDO$`MD;V=(#b),S9C srvcon_auth dCN}8(DO$=(,+g{K5t*U,G4aDC authentica- tion N}D5# g{4Z}]b~qwO9CM'zO$e~,G45}6pYw(}g,db2start | n)'\# BXZ(D GSS e~ LOCAL_GSSPLUGIN ~qwe~== SRV_PLUGIN_MODE GSS e~D~qwPm SRVCON_GSSPLUGIN_LIST ~qwC'j6\ke~ SRVCON_PW_PLUGIN ~qw,SO$ SRVCON_AUTH }]b\mwO$ AUTHENTICATION g{4hCb)N}D5,G4 DB2 z7a)D1!e~CZilw"C'j6/\k \mM Kerberos O$(g{ authentication N}Z~qwOhC* KERBEROS)#+ G,4a)1! GSS-API e~#rK,g{T authentication N}8(O$`M GSSPLUGIN,G49XkT srvcon_gssplugin_list dCN}8( GSS-API O$e~# 0k2+e~ }]b\mwdCN}j6DyP\'Ve~P'C'(vJCZ~qwe~) v ^DM'zOa)DC'j6r\k,;sY+|"MA~qw(vJCZ M'ze~) v 5XkX(C'`X*D DB2 Z(j6 GSS-API O$e~ v j61!2+OBD(vJCZM'ze~) v 5VXh GSS-API &\ v zIyZC'j6M\kDu<>$"(I!)|D\k(vJCZM'z e~) v 4("S\2+>% v 5XkX( GSS-API 2+OBD`X*D DB2 Z(j6 IT(} CLP r/, SQL od"vD,Sod+]n`|, 255 vV{DC'j6# *c:g{2+e~4-}dV`k"4iMbT,G4I\ap& DB2 }]b53 20Dj{T#DB2 }]bz7I$@m`#{`MDJO,+|;\#$?pC'` 4D2+e~1Dj{T# 188 }]b2+T8O 2+e~b;C Zq!2+e~.s(^[GzT:*"D9GSZ}=:rD),k+|G4F= }]b~qwODX(;C# DB2 M'zZTB?: v 32 ; Windows:MyPlugin.dll v 64 ; Windows:MyPlugin64.dll v 32 ;r 64 ; AIX:MyPlugin.a r MyPlugin.so v 32 ;r 64 ; SUN"32 ;r 64 ; Linux"32 ;r 64 ; HP on IPF:MyPlugin.so ":;P 64 ; Windows 2+e~Db{Ds:Eh*G“64”# Z 8 B 2+e~ 189 19C2+e~{F4|B}]b\mwdC1,9CbD+{+;xs:“64”," R!TC{FDD~)9{MNN^(76?V#^[GDvYw53,<+4gB y>"aF* MyPlugin D2+e~b: UPDATE DBM CFG USING CLNT_PW_PLUGIN MyPlugin 2+e~{FGxVs!4D,"RXkkb{+7%d#DB2 }]b539C`X} ]b\mwdCN}D54iOb76,;s9Cb7640k2+e~b# *K\b2+e~{F"ze;,G4&9CyCO$=(T0`4e~D+>D6 p{E4|{Ce~#}g,g{ Foo, Inc. +>`4K;vCZ5V FOOsomemethod O$=(De~,G4MIT+Ce~|{* FOOsomemethod.dll# e~{FDns$H(;|(D~)9{Ms:“64”);\* 32 vVZ#TZ}]b ~qwIT'VDnse~};P^F;+G,Z}]b\mwdCP,C:EVt De~PmDns$H* 255 vVZ#;Z|,D~ sqlenv.h PD=v define j6 Kb=v^F: #define SQL_PLUGIN_NAME_SZ 32 /* plug-in name */ #define SQL_SRVCON_GSSPLUGIN_LIST_SZ 255 /* GSS API plug-in list */ 2+e~bD~Xk_PBPD~mI(: v i5}yP_yP# v 53ODyPC'>}P,MEDWAY Gr,pieter GC'{#Z DB2 }]b53P,IT 8(&+K“=?V”C'j63dA“;?V”Z(j69G“=?V”Z(j6# 'V+“=?V”C'j63dA“=?V”Z(j6,+b;G1!P*#1!ivB, “;?V”C'j6M“=?V”C'j6<3dA“;?V”Z(j6#'V+“=?V”C 'j63dA“=?V”Z(j6,+b;G1!P*# +“=?V”C'j63dA“;?V”C'j6b;1!3dJmC'9CTB|n,S A}]b: db2 connect to db user MEDWAY\pieter using pw ZKivB,g{9CK1!P*,G4C'j6 MEDWAY\pieter +;bv*Z(j6 PIETER#g{'V+“=?V”C'j63dA“=?V”Z(j6,G4Z(j6+* MEDWAY\PIETER# *9 DB2 \;+“=?V”C'j63dA“=?V”Z(j6,G4 DB2 +a)=iO $e~: v ;ie~;:p+“;?V”C'j63dA“;?V”Z(j6T0+“=?V”C'j 63dA“;?V”Z(j6# 190 }]b2+T8O v m;ie~:p+“;?V”C'j6r“=?V”C'j6<3dA“=?V”Z(j 6# g{IT+zyZ$w73PD;vC'{3dAZ;,;C(eD`vJ'(} g,>XJ'"rJ'MIErJ'),G4IT8('V“=?V”Z(j63dD e~# ;(*"b,“;?V”Z(j6(}g PIETER)kIrMC'j6iOxID“=?V ”Z(j6(}g,MEDWAY\pieter)G&\X;;,D=VZ(j6#k;vZ(j 6`X*DX(/ITkzm;vZ(j6`X*DX(/j+;,#9C“;?V” Z(j6M“=?V”Z(j61&!D# Bm5wK DB2 }]b53a)De~V`T0X(O$5VDe~{F# m 30. DB2 2+e~ O$`M “;?V”C'j6e~D{F “=?V”C'j6e~D{F C'j6/\k(M'z) IBMOSauthclient IBMOSauthclientTwoPart C'j6/\k(~qw) IBMOSauthserver IBMOSauthserverTwoPart Kerberos IBMkrb5 IBMkrb5TwoPart ":Z 64 ; Windows =(O,aTK&P>De~{F7Ss:“64”# 18(h*“C'j6/\k”e~r Kerberos e~DO$`M1,1!ivBMa9C OvmP““;?V”C'j6e~D{F”b;PPyP>De~# *+“=?V”C'j63dA“=?V”Z(j6,Xk8(*9C“=?V”e~(;G 1!e~)#2+e~GZ5}6p(}hCk2+T`XD}]b\mwdCN} 48(D,gBy>: TZ+“=?V”C'j63dA“=?V”Z(j6D~qwO$,XkxPBPhC: v + srvcon_pw_plugin hC* IBMOSauthserverTwoPart v + clnt_pw_plugin hC* IBMOSauthclientTwoPart TZ+“=?V”C'j63dA“=?V”Z(j6DM'zO$,XkxPBPhC: v + srvcon_pw_plugin hC* IBMOSauthserverTwoPart v + clnt_pw_plugin hC* IBMOSauthclientTwoPart TZ+“=?V”C'j63dA“=?V”Z(j6D Kerberos O$,XkxPBPh C: v + srvcon_gssplugin_list hC* IBMOSkrb5TwoPart v + clnt_krb_plugin hC* IBMkrb5TwoPart 2+e~bS\ICk Microsoft Windows Security Account Manager f]Dq=8( D“=?V”C'j6#}g,ICTBq=:domain\user ID#,S1,DB2 O$MZ (xL+9CrMC'j6E"# 4(BD}]b1,&XF DB2 }]b53'VT2+e~ API Df>xP`E#TZ DB2 UDB V8.2,b)f >EGS 1 *EG DB2 IT'VD API Dn_f>E,T&Z a9Df>E#g{e~IT'V|_D API f>,G4|Xk5X DB2 QksDf >D/}8k#g{e~v'V|Mf>D API,G4e~&8(|Mf>D/}8 k#ZNN;VivB,2+e~ API <&Z/}a9Df>VNP5XK API 'V Df>E# TZ DB2,v1h*1Ea|D2+e~Df>E(}g,|DK API DN}1)# f>E;af DB2 "PfE;pT/|D# 32 ;M 64 ;2+e~D"bBn (#,32 ; DB2 5}9C 32 ;2+e~,x 64 ; DB2 5}9C 64 ;2+e ~#+G,Z 64 ;5}O,DB2 2'V 32 ;&CLr,b)&CLrh* 32 ;e ~b# HITKP 32 ;&CLrVITKP 64 ;&CLrD}]b5}F*lO5}#g {z_PlO5}"RrcKP 32 ;&CLr,G4&7# 32 ;e~?# g{zS;v;a) 64 ;e~bD)&L&qCK2+e~,G4zIT5V+4P 32 ;&CLrD 64 ;fy#ZKivB,2+e~G;vb?Lrx;G;vb# 2+e~Jb7( 2+e~"zDJbG(}TB=V==4(fD:;V==G(} SQL ms,m; V==G(}\m(*U># TBGk2+e~`XD SQLCODE 5: v g{Z4P db2start r db2stop Zde~"zms,G4+5X SQLCODE -1365# v ?1"z>XZ(Jb1Ma5X SQLCODE -1366# v e~"zKNNk,S`XDms,<+5X SQLCODE -30082# ZwTM\m2+e~1,\m(*U>\JC#Z UNIX O,*i4\m(*U>D ~,kli sqllib/db2dump/instance name.N.nfy#Z Windows Yw53O,*i4 \m(*U>,k9C“B~i4w”$_#I(}S Windows Yw53D“*<”4%< =AhC -> XFfe -> \m$_ -> B~i4w4R=“B~i4w”$_#TBG k2+e~`XD\m(*U>5: v 13000,|8>r"zmsxwC GSS-API 2+e~ API '\,"R5X;ums {"(I!)# 192 }]b2+T8O SQLT_ADMIN_GSS_API_ERROR (13000) e~“plug-in name”S GSS API“gss api name”PSU=mszk“error code”,zzD ms{"*“error message” v 13001,|8>r"zmsxwC DB2 2+e~ API '\,"R5X;ums{" (I!)# SQLT_ADMIN_PLUGIN_API_ERROR(13001) e~“plug-in name”S DB2 2+Te~ API“gss api name”SU=mszk “error code”0ms{"“error message” v 13002,|8> DB2 4\6X3ve~# SQLT_ADMIN_PLUGIN_UNLOAD_ERROR (13002) ^(6Xe~“plug-in name”#;h*4Px;=DYw# v 13003,|8>we{Fms# SQLT_ADMIN_INVALID_PRIN_NAME (13003) CZ“plug-in name”Dwe{F“principal name”^'#k^}Kwe{F# v 13004,|8>e~{F^'#e~{FP;JmfZ76Vt{(Z UNIX O*“/”, Z Windows O*“\”)# SQLT_ADMIN_INVALID_PLGN_NAME (13004) e~{F“plug-in name”^'#k^}Ke~{F# v 13005,|8>4\0k2+e~#&7#e~;Z}7D?2+e~"zKbbms#kU/yP db2support E",g{PI \,9IT6q db2trc,;sBg IBM 'Vz9Tq!x;=Doz# SQLT_ADMIN_PLUGIN_UNEXP_ERROR (13006) e~"zKbbms#kk IBM 'Vz9*5Tq!x;=Doz# ":g{z}Z 64 ; Windows }]b~qwO9C;)2+e~,"Rz"V3v 2+e~"zK0kms,kNDPX 32 ;M 64 ;"bBnM2+e~|{<(D wb#64 ;e~b*sb{P|,s:“64”,+G2+e~}]b\mwdCN}PD u?;&8>Ks:# tCe~ ?pilwe~ *(F DB2 2+53DilwP*,zIT*"T:Dilwe~,2ITrZ}= :r# *<.0 ZqCJOZzyZ}]b\m53Dilwe~.s,MIT?pKe~# }L v *Z}]b~qwO?pilwe~,k4PBP=h: 1. +Cilwe~b4F=~qwDie~?XZ(li,1M'z"T,SA~qw1,Ke~9+CZi$K M'z#g{Ke~EZ~qwe~?# 4(eDP*|(:g{;ve~Q-_PKBf>({F;d),x3vxLTZ 9CKe~,G4MaxP^F#1zWN?pe~r_49CCe~1,K^F+ ;pwC# ZqCJOZzyZ}]b\m53D“C'j6/\k”O$e~.s,MIT?pb )e~# }L v *Z}]b~qwO?p“C'j6/\k”O$e~,kZC}]b~qwO4PB P=h: 1. 4F~qwe~?XZ(,kZ ?vM'z"~qwrxXO4PBP=h: 194 }]b2+T8O 1. 4FCM'z"~qwrxXODM'ze~?XZ(li,1M 'z"T,SA~qw12GgK#g{Ke~EZ~qwe~?# 4(eDP*|(:g{;ve~Q-_PKBf>({F;d),x3vxLTZ 9CKe~,G4MaxP^F#1zWN?pe~r_49CCe~1,K^F+ ;pwC# ZqCJOZzyZ}]b\m53D GSS-API O$e~.s,MIT?pb)e~# }L v *Z}]b~qwO?p GSS-API O$e~,kZ~qwO4PBP=h: 1. 4F~qwe~?M'z+;S\ GSS-API O $e~w*O$zF# }g: CATALOG DB testdb AT NODE testnode AUTHENTICATION GSSPLUGIN v *Z9C GSS-API O$e~DM'z"~qwrxXOxP>XZ(,k4PBP =h: 1. 4FCM'z"~qwrxXODM'ze~?,Xk#9 DB2 ~qw09CCe~DNN&CLr# g{?pe~DBf>({F`,)13vxL}Z9CCe~,G4a"z4(e P*,|(]e# XZKNq IZ}]b~qwr}]bM'zO?p Kerberos O$e~# }L v *Z}]b~qwO?p Kerberos O$e~,kZ~qwO4PBP=h: 1. + Kerberos O$e~b4F=~qwe~?<# 2. |B srvcon_gssplugin_list }]b\mwdCN}DhC(|G;vPrD: E(gPm)T|( Kerberos ~qwe~{F#KPmP;\P;ve~G Kerberos e~#g{PmP;P Kerberos e~,G4a5Xms#g{PmPP `v Kerberos e~,G4a5Xms#g{CdCN}5*UW"R authenti- cation dCN}hC* KERBEROS r KRB_SVR_ENCRYPT,G4a9C1! DB2 Kerberos e~ IBMkrb5# 3. X*1,khC srvcon_auth }]b\mwdCN}D5# g{*?p Kerberos e~,G4 srvcon_auth }]b\mwdCN}DIS\5gBy>: – KERBEROS – KRB_SERVER_ENCRYPT – GSSPLUGIN – GSS_SERVER_ENCRYPT – UW,+v1 authentication dCN}hC*KPmPDdP;vH051# v *Z}]bM'zO?p Kerberos O$e~,kZM'zO4PTB=h: 1. + Kerberos O$e~b4F=M'ze~?<# 196 }]b2+T8O 2. + clnt_krb_plugin }]b\mwdCN}hC* Kerberos e~D{F#g{ clnt_krb_plugin dCN}D5*UW,G4M'z;\9C Kerberos O$#Z Windows O,1!5* IBMkrb5#;h*T(F Kerberos e~DdK5#Z UNIX O,XkhCK5,r*1!5*UW#*Z9C Kerberos O$e~DM 'z"~qwrxXOxP>XZ(,k4PBP=h: a. 4FCM'z"~qwrxXODM'ze~?M'z+v9C Kerberos O$e~#T B>}`? testdb }]b: CATALOG DB testdb AT NODE testnode AUTHENTICATION KERBEROS TARGET PRINCIPAL service/host@REALM yZ LDAP DO$Mii/'V DB2 }]b\mwM DB2 Connect (}9C LDAP 2+e~#iT08wD LDAP 4'VyZ LDAP DO$Mii/&\ AIX Yw53OQv?yZ LDAP DO$'V#S DB2 V9.7 FP1 *<,8w LDAP 'V2Q-)9= DB2 z7y'VD`,f>6pD Linux"HP-UX M Solaris Yw 53#LDAP VZJm9C8wD LDAP O$TC'O$MiI1JqxP/P\m# IT+ DB2 5}dC*(}Yw534O$C'Mq!{GDi#;sYw53VI T(} LDAP ~qw4PO$#*tC8wD LDAP O$,k+ DB2AUTH Sn"a md?hC* OSAUTHDB#\'VDYw53|(: v AIX v HP-UX v Linux v Solaris CZ5VyZ LDAP DO$Dm;!qG(}9C LDAP 2+e~#LDAP 2+e~ #iJm DB2 }]b\mwT LDAP ?6pDYw53(eDC'Mi*s#\'VDYw53|(: v AIX v HP-UX on Itanium-based HP Integrity Series systems (IA-64) v Linux on IA32"x64 r zSeries® 2~ v Solaris v Windows Ik2+e~#idO9CD LDAP ~qw|(: v IBM Lotus® Domino® LDAP Server V8.0 0|_f> v IBM Tivoli® Directory Server (ITDS) V6.2(xP GSKit 7.0.4.20 0|_f>)0| _f> v Microsoft Active Directory (MSAD) V2008 0|_f> v Novell eDirectory V8.8 0|_f> Z 8 B 2+e~ 197 v OpenLDAP Server V2.4 0|_f> v Sun Java System Directory Server Enterprise Edition V5.2 FP4 0|_f> v z/OS Integrated Security Services LDAP Server V1R6 M|_f> ":9C LDAP e~#i1,XkZ LDAP ~qwO(ek}]b`X*DyPC '#b|( DB2 5}yP_j6M\@$C'#((#,ZYw53P(eKb)C ',+G9XkZ LDAP P(eb)C'#),y,g{9C LDAP ie~#i,G 4XkZ LDAP ~qwO(eZ(yh*DyPi#b)i|(Z}]b\mwdCP (eD SYSADM"SYSMAINT"SYSCTRL M SYSMON i# DB2 2+e~#iICZ~qwKO$"M'KO$Mii/(Ts+xPhv)#y ]zyZDX(73,I\h*9C;V"=VryPb}V`MDe~# *9C DB2 2+e~#i,q-BP=h: 1. v(zGh*~qw"M'zrie~#i,9Gh*b)#iDiON=# 2. (}hC IBM LDAP 2+e~dCD~(1!{F* IBMLDAPSecurity.ini)PD 54dCe~#i#zh*I/ LDAP \m1T7(J1D5# 3. tCe~#i 4. 9CwV LDAP C'j64bT,S# ~qwO$e~ ~qwO$e~#iTM'zZ CONNECT M ATTACH odPa)DC'j6M\ k4P~qwi$#X*1,|9a);V=(+ LDAP C'j63dA DB2 Z(j 6#g{zkCC'9C{GD LDAP C'j6M\kr DB2 }]b\mwxPO $,G4(#XYw53C'j6;,Zkb)C'`X*D DB2 Z(j 6,G4I\2h*M'zO$e~#i#ZT}]b~qwOD>X|n(}g, db2start)4PZ(li.0,IT9CM'Ke~+>XYw53C'j63dA DB2 Z(j6# ii/e~ ii/e~#iS LDAP ~qwPlwX(C'DiI1JqE"#g{*9C LDAP 4f"zDi(e,G4Ke~GXhD#n#{DivG: v yPC'MiX(eDNNC'(|(5}yP_M\@$C')Z LDAP ~ qwO2GT,;C'j6(eD# 198 }]b2+T8O v Z DB2 ~qwOxP\ki$(4,Z~qwD DBM dCD~P+ AUTHENTI- CATION r SRVCON_AUTH hC* SERVER" SERVER_ENCRYPT r DATA_ENCRYPT D5)# (#,v+~qwO$e~#iMii/e~#i20Z~qwOMc;K#DB2 M' z(#;h*20 LDAP e~#i# ITv+ LDAP ii/e~#ik3)d{N=DO$e~(}g,Kerberos e~) iO9C#ZKivB,LDAP ii/e~#i+a)k3vC'`X*D DB2 Z( j6#e~#i+Z LDAP ?D LDAP M'zdO9C:ITDS V5.2(f AIX V5.3 a))"ITDS V6.1(f AIX V6.1 a))M ITDS V6.2(f AIX )9|a))#BPZ]T>+ ITDS V5.2 D~/20Z AIX V5.3 53O: $ lslpp -l "ldap*" Fileset Level State Description ---------------------------------------------------------------------------- Path: /usr/lib/objrepos ldap.client.adt 5.2.0.0 COMMITTED Directory Client SDK ldap.client.rte 5.2.0.0 COMMITTED Directory Client Runtime (No SSL) ldap.html.en_US.config 5.2.0.0 COMMITTED Directory Install/Config Gd-U.S. English ldap.html.en_US.man 5.2.0.0 COMMITTED Directory Man Pages - U.S. "o ldap.msg.en_US 5.2.0.0 COMMITTED Directory Messages - U.S. "o Path: /etc/objrepos ldap.client.rte 5.2.0.0 COMMITTED Directory Client Runtime (No SSL) c. 9Cx -c !nD mksecldap |n4dCM'z# PX mksecldap |nT0g N9CC|n4dCM'zD|`E",kNDhttp://publib.boulder.ibm.com/ infocenter/pseries/v5r3/index.jsp?topic=/com.ibm.aix.security/doc/security/ setup_ldap_sec_info_server.htm d. |B /etc/security/user D~PD1!Z# ;)z7(Q}7dC LDAP RQ-9CC'ndK LDAP ?} BP>}T>KT;,==\mDDvJ'#?v<9CK;,DO$=(# g{ Frank DJ'f"ZD~O"9CD~xPO$,G4 Frank DZZ /etc/ security/users P`FZBPZ]# frank: SYSTEM = files registry = files g{ Karen DJ'f"ZD~O"9C Kerberos xPO$,G4 Karen DZZ /etc/ security/users P`FZBPZ]# karen: SYSTEM = KRB5files registry = KRB5files g{ Luke DJ'f"Z LDAP O"9C Kerberos xPO$,G4 Luke DZZ /etc/ security/users P`FZBPZ]# luke: SYSTEM = KRB5LDAP registry = KRB5LDAP g{ Lucy DJ'f"Z LDAP O"9C LDAP xPO$,G4 Lucy DZZ /etc/ security/users P`FZBPZ]# lucy: SYSTEM = LDAP registry = LDAP *7(C'Gq(eZ LDAP O,IT9CBP|n4i/C'# Z 8 B 2+e~ 201 $ lsuser -R LDAP lucy lucy id=1234 pgrp=staff groups=staff home=/home/lucy shell=/bin/ksh registry=LDAP *O$Mii/dC8w LDAP (Linux) S DB2 V9.7 ^)| 1 0|_f>*<,*7# DB2 }]b~qwZ Linux Yw5 3OT8w==9CyZ LDAP DO$,k9CIekO$#i (PAM)#&Q-dC LDAP ~qwTf"C'MiE"# *<.0 *Z DB2 }]bOtCT8w LDAP D'V,kjITBNq: 1. dCYw53T9C PAM O$C' 2. dC DB2 5} b)=hYh LDAP ~qw{O RFC 2307# }L 1. ** LDAP M PAM dCYw53,k4PTB=h: a. w*_P root C'(^DC'G<# b. 7#Q20 nss_ldap M pam_ldap Lr|#b=vLr|Z /lib(64) r /usr/ lib(64) ? /etc/ldap.conf D~: host # Address of ldap server base # The DN of the search base. rootbinddn # The bind DN to bind to LDAP ldap_version 3 # LDAP version pam_login_attribute uid # user ID attribute for pam user lookups nss_base_group # nsswitch configuration pertaining to group # search lookup d. Z /etc/ldap.secret D~PhC\k#&1;P root C'\;A!r4kK D~# e. Z /etc/pam.d/db2 P4(r^D PAM dCD~#KD~;&I root C'A !r4k#zI\Xk^DdCD~,b!vZ*9CDYw53Df>#T BG SUSE Linux Enterprise Server 10 Dy>dCD~: auth sufficient pam_unix2.so auth required pam_ldap.so use_first_pass account sufficient pam_unix2.so account required pam_ldap.so password required pam_pwcheck.so password sufficient pam_unix2.so use_authtok use_first_pass password required pam_ldap.so use_first_pass session required pam_unix2.so TZ Red Hat Enterprise Linux 5,k4gBy>^DdCD~: #%PAM-1.0 auth required pam_env.so auth sufficient pam_unix.so likeauth nullok auth sufficient pam_ldap.so use_first_pass auth required pam_deny.so account required pam_unix.so account sufficient pam_succeed_if.so uid < 100 quiet account sufficient pam_ldap.so account required pam_permit.so 202 }]b2+T8O password requisite pam_cracklib.so retry=3 dcredit=-1 ucredit=-1 password sufficient pam_unix.so nullok use_authtok md5 shadowremember=3 password sufficient pam_ldap.so use_first_pass password required pam_deny.so session required pam_limits.so session required pam_unix.so DB2 'V9C pam_ldap.so"pam_unix.so M pam_unix2.so D PAM dC# 9Cd{ PAM #iDdCI\P',+G;\'V# f. hC Linux 53T(} LDAP 4Pii/#Z /etc/nsswitch.conf D~PR = group M passwd u?,"7#dk ldap w*i/=(# TBG group M passwd u?D>}: group: files ldap passwd: files ldap 2. *dC DB2 5}T9C8w LDAP O$,k4PTB=h: a. + DB2AUTH Sn"amd?hC* OSAUTHDB# w*_P SYSADM (^DC'" vTB|n: db2set DB2AUTH=OSAUTHDB b. Z~qwO+O$hC*BPNN;V: v SERVER v SERVER_ENCRYPT v DATA_ENCRYPT c. 7#9CDG1!5 Client Userid-Password Plugin (clnt_pw_plugin)"Server Userid-Password Plugin (srvcon_pw_plugin) M Group Plugin (group_plugin)# d. XBt/ DB2 5}# *O$Mii/dC8w LDAP (HP-UX) S DB2 V9.7 FP1 0|_f>*<,*7# DB2 }]b~qwZ HP-UX Yw53 OT8w==9CyZ LDAP DO$,h*9CIekO$#i (PAM)#&Q-dC LDAP ~qwTf"C'MiE"# *<.0 K}LYh LDAP ~qw{O RFC 2307# }L 1. g{9CDG IBM Tivoli Directory Server (ITDS) V6.1,G4XkHhC LDAP ~ qw,HP-UX 53E\kd,S#*Z HP-UX Yw53OdC LDAP ~qw, k4PTB=h: a. Z LDAP ~qwOw*_P root C'(^DC'G<# b. "v idsldapadd |n: idsldapadd -D -w -h -p -c -i duaconfigschema.ldif where, - the bind dn to bind to LDAP - the password for bind dn - hostname of the LDAP server - the port LDAP server is running. Default is 389 - LDIF file contains DUAConfigProfle Schema Z 8 B 2+e~ 203 g{9C Netscape r Red Hat Directory Server,G4a9C LDAP-UX 20 LrT/+ duaconfigschema.ldif PPvDTs`mSA LDAP ~qw#+ G,g{9C ITDS,G4Z HP-UX Client OKP LDAP-UX 20Lr.0, XkV/mSCTs`# 2. ** LDAP M PAM dCYw53,k4PTB=h: a. w*_P root C'(^DC'G<# b. 20 LDAP-UX Client Service "KP LDAP-UX 20Lr# +vVTBA;: [ctrl-B]=Go Back screen 2 Hewlett-Packard Company LDAP-UX Client Services Setup Program ------------------------------------------------------------------------ Select which Directory Server you want to connect to: 1. Netscape or Red Hat Directory 2. Windows 2000/2003/2003 R2 Active Directory To accept the default shown in brackets, press the Return key. Directory Server: [1]: k!q!n 1,Mqz,SA Netscape r Red Hat Directory Server ;y"4 U8>E"xPYw# PX20 LDAP-UX Dj8E",kND LDAP-UX Client Services B.04.15 Administrator’s Guide# c. `- /etc/pam.conf PD PAM dCD~#+TBD>mSACD~: db2 auth required libpam_hpsec.so.1 db2 auth sufficient libpam_unix.so.1 db2 auth required libpam_ldap.so.1 use_first_pass H0DdCWHkT>XD~53liC'j6M\k#g{R;=C'rr >XD~53O$'\,G4|+;4P LDAP i/# DB2 'V9C libpam_ldap.so M libpam_unix.so D PAM dC#9Cd{ PAM #iDdCI\P',+G;\'V# d. hC HP-UX 53T(} LDAP 4Pii/#Z /etc/nsswitch.conf D~P R= group M passwd u?,"7#dk ldap w*i/=(# TBG group M passwd u?D>}: group: files ldap passwd: files ldap 3. *dC DB2 5}T9C8w LDAP O$,k4PTB=h: a. + DB2AUTH Sn"amd?hC* OSAUTHDB# w*_P SYSADM (^DC'" vTB|n: db2set DB2AUTH=OSAUTHDB b. 9C UPDATE DBM CFG |n+}]b~qw5}ODO$hC*BPNN; VO$`M: v SERVER v SERVER_ENCRYPT v DATA_ENCRYPT v CLIENT c. k7#z9CDGM'zC'j6/\ke~ (clnt_pw_plugin)"~qwC'j 6/\ke~ (srvcon_pw_plugin) Mie~ (group_plugin) D1!U5#1! 204 }]b2+T8O e~* IBMOSauthclient"IBMOSauthserver M IBMOSgroups;g{z+e~{ FD5#t*UW,G4a58b)e~# d. XBt/ DB2 5}# ": 8w LDAP 49C IBMLDAPSecurity.ini#KD~v) LDAP e~#i9C# *O$Mii/dC8w LDAP (Solaris) S DB2 V9.7 FP1 0|_f>*<,*7# DB2 }]b~qwZ Solaris Yw53O T8w==9CyZ LDAP DO$,h*9CIekO$#i (PAM)#&Q-dC LDAP ~qwTf"C'MiE"# *<.0 K}LYh LDAP ~qw{O RFC 2307# XZKNq KNqhvKJCZ Solaris 10 D=h#b)8>E"TZd{f>D Solaris Yw5 3I\TP;,# }L 1. 4PTB=h4* LDAP M PAM dCYw53: a. w*_P root C'(^DC'G<# b. 7#Q20 nss_ldap M pam_ldap Lr|#b=vLr|Z /usr/lib M /usr/ lib/security ?* nss_ldap.so M pam_ldap.so# c. hCYw53TCw LDAP M'z# ldapclient(1M) gfICZ"v ldapclient |n#TBGy>dv: ldapclient manual -a credentialLevel=proxy \ -a authenticationMethod=simple \ -a proxyDN= \ -a proxyPassword= \ -a defaultSearchBase= \ -a serviceSearchDescriptor=group: \ -a domainName= \ -a defaultServerList= dP, *s(= LDAP Ds( dn#bG LDAP ~qwPJmQw LDAP ~ qwT!CC'J'MiDC'u?D dn s( dn D\k Qwu~D dn#K dn &HC'Miu?_;v6p f"iE"D;CDy> dn LDAP ~qwDr{ Z 8 B 2+e~ 205 LDAP ~qwD IP X7 PX|`E",kND ldapclient(1M) Va# d. `- /etc/pam.conf PD PAM dCD~#+TBD>mSACD~: db2 auth requisite pam_authtok_get.so.1 db2 auth required pam_unix_cred.so.1 db2 auth sufficient pam_unix_auth.so.1 db2 auth required pam_ldap.so.1 H0DdCWHkT>XD~53liC'j6M\k#g{R;=C'rr >XD~53O$'\,G4|+;4P LDAP i/# DB2 'V9C pam_ldap.so M pam_unix_auth.so D PAM dC#9Cd{ PAM #iDdCI\P',+G;\'V# e. hC Solaris 53T(} LDAP 4Pii/#Z /etc/nsswitch.conf D~PR = group M passwd u?,"7#dk ldap w*i/=(# TBG group M passwd u?D>}: group: files ldap passwd: files ldap 2. 4PTB=h4dC DB2 5}T9C8w LDAP O$: a. + DB2AUTH Sn"amd?hC* OSAUTHDB# w*_P SYSADM (^DC'" vTB|n: db2set DB2AUTH=OSAUTHDB b. Z~qwO+O$hC*BPNN;V: v SERVER v SERVER_ENCRYPT v DATA_ENCRYPT c. 7#9CDG1!5 Client Userid-Password Plugin (clnt_pw_plugin)"Server Userid-Password Plugin (srvcon_pw_plugin) M Group Plugin (group_plugin)# d. XBt/ DB2 5}# ":8w LDAP 49C IBMLDAPSecurity.ini#KD~v) LDAP e~#i9C# dC LDAP e~#i *dC LDAP e~#i,h*|B IBM LDAP 2+e~dCD~TJOzD73# s`}ivB,zh*I/ LDAP \m1T7(J1DdC5# IBM LDAP 2+e~dCD~D1!{FM;CG: v Z UNIX O:INSTHOME/sqllib/cfg/IBMLDAPSecurity.ini v Z Windows O:%DB2PATH%\cfg\IBMLDAPSecurity.ini (I!)IT9C DB2LDAPSecurityConfig 73d?48(KD~D;C#Z Win- dows O,&Z+V5373PhC DB2LDAPSecurityConfig,T7# DB2 ~qQ9 C# BPwma)KE"4ozz7(J1DdC5# 206 }]b2+T8O m 31. k~qw`XD5 N} hv LDAP_HOST LDAP ~qwD{F# bG;vCUqVtD LDAP ~qwwz{r IP X7 (?vwz{r IP X79IT=x;vKZE)DPm# }g:host1[:port] [host2:[port2] ... ]# 1!KZEG 389,g{tCK SSL,G41!KZE* 636# ENABLE_SSL *tC SSL 'V,&+ ENABLE_SSL hC* TRUE (Xk20 GSKit)# bG;vI!N}; |1!* FALSE(4,;P SSL 'V)# SSL_KEYFILE SSL \?7D76# v1 LDAP ~qw}Z9C GSKit 20 ;aT/END$i1Eh*\?D~# }g:SSL_KEYFILE = /home/db2inst1/IBMLDAPSecurity.kdb SSL_PW SSL \?7\k#}g:SSL_PW = keyfile-password m 32. kC'`XD5 N} hv USER_ OBJECTCLASS CZC'D LDAP Ts`# (#,+ USER_OBJECTCLASS hC* inetOrgPerson(Microsoft Active Directory DC')# }g:USER_OBJECTCLASS = inetOrgPerson USER_BASEDN QwC'1*9CD LDAP y> DN# g{48(,G4+S LDAP ?C'j6D LDAP C'tT# USERID_ATTRIBUTE tT+k USER_OBJECTCLASS M USER_BASEDN(g{8(Kb=vtT)iOZ;p, TZC'9C4^(DC'j6"v DB2 CONNECT od19l LDAP Qw}Kw# }g,g{ USERID_ATTRIBUTE = uid,G4"vTBod: db2 connect to MYDB user bob using bobpass Ma9lTBQw}Kw: &(objectClass=inetOrgPerson)(uid=bob) AUTHID_ ATTRIBUTE CZm> DB2 Z(j6D LDAP C'tT# (#,KN}D5k USERID_ATTRIBUTE D5`,# }g:AUTHID_ATTRIBUTE = uid Z 8 B 2+e~ 207 m 33. ki`XD5 N} hv GROUP_ OBJECTCLASS CZiD LDAP Ts`# (#bG groupOfNames r groupOfUniqueNames (TZ Microsoft Active Directory,|* group)# }g:GROUP_OBJECTCLASS = groupOfNames GROUP_BASEDN Qwi1*9CD LDAP y> DN# g{48(,G4+S LDAP ?iD{FD LDAP itT# }g:GROUPNAME_ATTRIBUTE = cn GROUP_LOOKUP_ METHOD 7(C4iRC'DiI1JqD=(#I\D5|(: v SEARCH_BY_DN - 8>*Qw+C'P>*dI1Di#I1Jq GI(e* GROUP_LOOKUP_ATTRIBUTE DitT((#* mem- ber r uniqueMember)8>D# v USER_ATTRIBUTE - ZK}P,C'DiGw*C'Ts>mDt T 4 P > D # K h C8> * Qw( e * GROUP_LOOKUP_ATTRIBUTE DC'tTTq!C'Di((#, TZ Microsoft Active Directory * memberOf,TZ IBM Tivoli Direc- tory Server * ibm-allGroups)# }g:GROUP_LOOKUP_METHOD = SEARCH_BY_DN GROUP_LOOKUP_METHOD = USER_ATTRIBUTE GROUP_LOOKUP_ ATTRIBUTE C 4 7 ( i I 1 J q D t T D { F , g T Z GROUP_LOOKUP_METHOD xPDhv# }g: GROUP_LOOKUP_ATTRIBUTE = member GROUP_LOOKUP_ATTRIBUTE = ibm-allGroups NESTED_GROUPS g{ NESTED_GROUPS * TRUE,G4 DB2 }]b\mw+(}" TiRyR=D?viDiI1Jq4]iQwiI1Jq# }7&mK-7(}g,A tZ B,x B VtZ A)# KN}GI!D,d1!5* FALSE# m 34. d{5 N} hv SEARCH_DN M SEARCH_PW g{ LDAP ~qw;'Vd{CJ,r_ZQwC'ri1d{CJ;c, G4IT!q(e+C44PQwD DN M\k# }g: SEARCH_DN = cn=root SEARCH_PW = rootpassword DEBUG + DEBUG hC* TRUE,T+nbE"4k db2diag U>D~,Sxo zwTk LDAP `XDJb# s`}=SE"# } g , g { z D LDAP C ' j 6 4 p 4 q g S J ~ X 7 ( } g , jsmith@sales.widgetcorp.com),+Gzk;+C'?V(4,jsmith)Cw DB2 Z(j 6,G4zIT4gBy>45V: 1. 9|,|L{FDBtTk LDAP ~qwODyPC'Ts`X* 2. 9CKBtTD{F4dC AUTHID_ATTRIBUTE ZG,C'(}8({GDj{ LDAP C'j6M\kM\;,SA DB2 }]b,} g: db2 connect to MYDB user ’jsmith@sales.widgetcorp.com’ using ’pswd’ +G,DB2 }]b\mwZZ?9C(} AUTHID_ATTRIBUTE lw=DL{F(Z K}P* jsmith)4m>CC'# ZtCMdC3v LDAP e~#i.s,C'IT9C`V;,DV{.,SA DB2 }]b: v j{ DN#}g: connect to MYDB user ’cn=John Smith, ou=Sales, o=WidgetCorp’ v ?V DN#g{9C?V DN MJ1DQwu~ DN(g{(eK)4Qw LDAP ? <,G4+;Qw=;v%dn#}g: connect to MYDB user ’cn=John Smith’ connect to MYDB user uid=jsmith v r%V{.(;|,HE)#9C USERID_ATTRIBUTE 4^(CV{."1w? V DN 4T}#}g: connect to MYDB user jsmith ":g{Z CONNECT odr ATTACH |nOa)DNNV{.P|,UqrXbV {,G4Xk9C%}ETCV{.xP(g# ii/D"bBn iI1JqE"(#GZ LDAP ~qwOw*C'TstTriTstT4m>D: v w*C'TstT ?vC'Ts<_P;vF* GROUP_LOOKUP_ATTRIBUTE DtT,ITi/K tTTlwCC'DyPiI1Jq# 210 }]b2+T8O v w*iTstT ?viTs<_P;v2F* GROUP_LOOKUP_ATTRIBUTE DtT,IT9CK tT4P>w*CiDI1DyPC'Ts#IT(}Qw+X(C'TsP>* I1DyPi46YCC'ytDi# m` LDAP ~qw}Py>T|GxPdC: GROUP_LOOKUP_METHOD = SEARCH_BY_DN GROUP_LOOKUP_ATTRIBUTE = groupOfNames Microsoft Active Directory (#+iI1Jqw*C'tT4f","RIT4TB> }Py>4T|GxPdC: GROUP_LOOKUP_METHOD = USER_ATTRIBUTE GROUP_LOOKUP_ATTRIBUTE = memberOf IBM Tivoli Directory Server ,1'VOv=V=(#*i/3vC'DiI1Jq, IT{CXbC'tT ibm-allGroups,gTB>}Py>: GROUP_LOOKUP_METHOD = USER_ATTRIBUTE GROUP_LOOKUP_ATTRIBUTE = ibm-allGroups d{ LDAP ~qwI\aa)`FDXbtT4ozlwiI1Jq#(#,(}C' tT4lwI1JqHQw+CC'P>*I1DiDYH|l# TO$ LDAP C'rlwi1zzDJbxPJOoO g{ZO$ LDAP C'rlw{GDi1v=Jb,G4 db2diag U>D~M\mU >PDE"\JCZozxPJOoO# "zJO1,LDAP e~#i(#+G< LDAP 5Xk"Qw}KwT0d{PC} ]#g{tC LDAP e~dCD~PD DEBUG !n,G4e~#i+Z db2diag U >D~PG<|`E"#d;bPzZJOoO,+G(i;*Zzz53P9CK =(,bGr*+yPnbD}]4k%vD~PavS*z# 7#+}]b\mwPD diaglevel dCN}hC* 4,Tc+6q LDAP e~#i PzzDyP{"# Z 8 B 2+e~ 211 `42+e~ DB2 gN0k2+e~ *K9 DB2 }]b53_PwC2+e~/}yXhDE",2+e~Xk_P}7 hCDuED/}8ka9 v 8r;va9D8k,Ca9|,8ryPh*5VD API D8k v 8r/}D8k,C/}CZ+U>{"mSA db2diag U>D~ v 8rms{"V{.D8k v ms{"D$H TBG;vilwe~Du: v +8kD/}8k?F`M*;*J1D/}a9 v 8(8rbPd{/}D8k v 8(}Z5XD/}8ka9Df>E DB2 IT1ZX`NwCe~umITd1M'z#g{}]b~qwODM'zM~qwe~;Z,; vD~P,G4 DB2 ITwCe~u|U9"X Bum|,D]e)xPV4D&\#e~b9&Cx ;Wv C++ l#,r*b2aA- DB2 Dms&m&\# _L2+ e~bXk#$_L2+"RIXk#e~umXBxPumD RPATH P8( K^F;JCZ Windows Yw53# {Ee; &!I\9C\5M"z{Ee;DI\TDNNIC!n(}g,IuYb }s(b?{E}CDG)!n)4`kM4Se~b#}g,Z HP"Solaris Z 8 B 2+e~ 213 M Linux O9C ″-Bsymbolic″ 4SLr!nPzZ@9"zk{Ee;`XD Jb#+G,TZZ AIX O`4De~,;*T=r~=9C "-brtl" 4S Lr!n# 32 ;M 64 ;&CLr 32 ;&CLrXk9C 32 ;e~#64 ;&CLrXk9C 64 ;e~#k NDPX 32 ;M 64 ;&CLrD"bBnDwbTKb|`j8E"# D>V{. ";\#$dkD>V{.;(T null ax,Kb,dvV{.";h*T null ax#+G,*yPdkV{.x(K{}$H,"**5XD$Hx(K 8r{}D8k# +]Z(j6N} DB2 +]=e~PDZ(j6(authid)N}(bG;vdk authid N})+ |,;vs4DZ(j6,"Ra}%ndDUq#Ie~5Xx DB2 D authid N}(bG;vdv authid N});h*NNXb&m,+G DB2 + 4UZ? DB2 j<+ authid *;*s4"9CUq+|nz# TN}Ds!^F e~ API TN}$HD^FgB: #define DB2SEC_MAX_AUTHID_LENGTH 255 #define DB2SEC_MAX_USERID_LENGTH 255 #define DB2SEC_MAX_USERNAMESPACE_LENGTH 255 #define DB2SEC_MAX_PASSWORD_LENGTH 255 #define DB2SEC_MAX_DBNAME_LENGTH 128 X(De~5VI\a*sr_?FZ(j6"C'j6M\k9C|!Dn s$H#XpG,ZYw53^FMZOv^FDivB,f DB2 }]b53 ;pa)DYw53O$e~+\IYw53?F)SDnsC'"iM{F Ud$H^F# AIX PD2+e~b)9{ Z AIX 53P,2+e~bDD~)9{IT* .a r .so#C40ke~b DzF!vZy9CD)9{: v D~)9{* .a De~b;O*G|,2mTsI1Di5#b)I1Xk |{* shr.o(32 ;)r shr64.o(64 ;)#%vi5PIT,1|, 32 ; M 64 ;DI1,RJm+|?pZ=V`MD=(O# }g,*9( 32 ;i5N=De~b: xlc_r -qmkshrobj -o shr.o MyPlugin.c -bE:MyPlugin.exp ar rv MyPlugin.a shr.o v D~)9{* .so De~b;O*GI/,0kD2mTs#bVTsG 32 ;r 64 ;D,b!vZ9(KTs1y9CD`kwM4SLr!n#} g,*9( 32 ;De~b: xlc_r -qmkshrobj -o MyPlugin.so MyPlugin.c -bE:MyPlugin.exp Z} AIX .bDyP=(O,2+e~bJmz9C 128 vV ZDZ(j6,+G,1Z(j6;bM*Yw53C'j6ri{1,&q-Yw 53|{^F(}g,C'j6D$H^F* 8 = 30 vV{,i{* 30 vV{)# rK,d;zITZh;v 128 VZDZ(j6,+Gw*;v_PCZ(j6DC ',z4^(xP,S#g{z`4T:D2+e~,G4&C\;dV{CZ(j 6D)9s!#}g,zIT*2+e~8(;v 30 VZDC'j6,"RZO$Z d|I\a5X;v 128 VZDZ(j6,zIT9CKZ(j6xP,S# InfoSphere® Federation Server 'V^F DB2 II ;'V9C GSS_API e~PD/P>$4("k}]4Dv>,S#k}]4 D,SXkLx9C CREATE USER MAPPING |n# }]b\m~qw'V^F DB2 \m~qw (DAS) ;'V2+e~#DAS v'VYw53O$zF# DB2 M'zD2+e~JbM^F (Windows) Z*"+?pZ Windows Yw53OD DB2 M'zPD2+e~1,k;*6Xe ~U9/}DNN(zb#K^FJCZyP`MDM'z2+e~,|(ie~"“ C'j6/\k”e~"Kerberos e~M GSS-API e~#IZZNN Windows =(O< ;awCb)U9 API(}g,db2secPluginTerm"db2secClientAuthPluginTerm M db2secServerAuthPluginTerm),rK,zh*4PJ1DJ4e}# K^Fzk6X Windows OD DLL `X*De}Jb`X# Z AIX O0k)9{* .a r .so De~b Z AIX O,2+e~bDD~)9{IT* .a r .so#C40ke~bDzF!v Zy9CD)9{: Z 8 B 2+e~ 215 v D~)9{* .a De~b D~)9{* .a De~b;O*G|,2mTsI1Di5#b)I1Xk|{* shr.o(32 ;)r shr64.o(64 ;)#%vi5PIT,1|, 32 ;M 64 ;D I1,RJm+|?pZ=V`MD=(O# }g,*9( 32 ;i5N=De~b: xlc_r -qmkshrobj -o shr.o MyPlugin.c -bE:MyPlugin.exp ar rv MyPlugin.a shr.o v D~)9{* .so De~b D~)9{* .so De~b;O*GI/,0kD2mTs#bVTsG 32 ;r 64 ;D,b!vZ9(KTs1y9CD`kwM4SLr!n#}g,*9( 32 ; De~b: xlc_r -qmkshrobj -o MyPlugin.so MyPlugin.c -bE:MyPlugin.exp Z} AIX .bDyP=(O,2+e~b4PC API GI&9G'\#5Xk5 0 8>QI&KPC API#} -3"-4 M -5 .bDyP:}5Xk<8>C API v =Kms# S2+e~ API 5XDyP:}5Xk(-3"-4 M -5 }b)<3dA SQLCODE -1365"SQLCODE -1366 r SQLCODE -30082#5 -3"-4 M -5 C48>Z(j6 Gqm>P'DC'ri# yP2+e~ API 5Xk;vC'9G Yw53i# db2secDoesAuthIDExist -5 DB2SEC_PLUGIN _GROUPSTATUSNOTKNOWN 4*i4,#DB2 ";O*bG; vms;GRANT od9C|47 ( authid Gm>;vC'9GY w53i# db2secDoesGroupExist -6 DB2SEC_PLUGIN_UID_EXPIRED C'j6=Z# db2secValidatePassword db2GetGroupsForUser db2secGenerateInitialCred -7 DB2SEC_PLUGIN_PWD_EXPIRED \k=Z# db2secValidatePassword db2GetGroupsForUser db2secGenerateInitialCred -8 DB2SEC_PLUGIN_USER_REVOKED 7zKC'# db2secValidatePassword db2GetGroupsForUser -9 DB2SEC_PLUGIN _USER_SUSPENDED C';]R# db2secValidatePassword db2GetGroupsForUser -10 DB2SEC_PLUGIN_BADPWD \kms# db2secValidatePassword db2secRemapUserid db2secGenerateInitialCred -11 DB2SEC_PLUGIN _BAD_NEWPASSWORD B\kms# db2secValidatePassword db2secRemapUserid -12 DB2SEC_PLUGIN _CHANGEPASSWORD _NOTSUPPORTED ;'V|D\k# db2secValidatePassword db2secRemapUserid db2secGenerateInitialCred -13 DB2SEC_PLUGIN_NOMEM IZZf;c,rKe~"TVd Zf'\# yP -14 DB2SEC_PLUGIN_DISKERROR e~v=KELms# yP -15 DB2SEC_PLUGIN_NOPERM IZe~T3vD~DmI(m s,rKe~"TCJCD~1' \# yP -16 DB2SEC_PLUGIN_NETWORKERROR e~v=Kxgms# yP -17 DB2SEC_PLUGIN _CANTLOADLIBRARY e~^(0kXhDb# db2secGroupPluginInit db2secClientAuthPluginInit db2secServerAuthPluginInit -18 DB2SEC_PLUGIN_CANT _OPEN_FILE e~^(r*"A!3vD~,+ ";Gr*1YCD~r_D~m I(;c# yP Z 8 B 2+e~ 217 m 38. 2+e~5Xk (x) 5Xk (e5 ,e JCD API -19 DB2SEC_PLUGIN_FILENOTFOUND e~^(r*"A!3vD~,r *D~53P;fZCD~# yP -20 DB2SEC_PLUGIN _CONNECTION_DISALLOWED e~\x,S,r*Jm}]bx P,S1\=^F,r_ TCP/IP X7;\,SAX(}]b# yP~qwKe~ API# -21 DB2SEC_PLUGIN_NO_CRED vTZ GSS API e~:1Yu< M'z>$# db2secGetDefaultLoginContext db2secServerAuthPluginInit -22 DB2SEC_PLUGIN_CRED_EXPIRED vTZ GSS API e~:M'z> $=Z# db2secGetDefaultLoginContext db2secServerAuthPluginInit -23 DB2SEC_PLUGIN _BAD_PRINCIPAL_NAME vTZ GSS API e~:we{F ^'# db2secProcessServer PrincipalName -24 DB2SEC_PLUGIN _NO_CON_DETAILS K5XkI db2secGetConDetails Xw5X(}g,S DB2 5Xx e~),T8> DB2 ^(7(M 'zD TCP/IP X7# db2secGetConDetails -25 DB2SEC_PLUGIN _BAD_INPUT_PARAMETERS wCe~ API 1,3)N}^' r_;fZ# yP -26 DB2SEC_PLUGIN _INCOMPATIBLE_VER e~(fD API Df>k DB2 ;f]# db2secGroupPluginInit db2secClientAuthPluginInit db2secServerAuthPluginInit -27 DB2SEC_PLUGIN_PROCESS_LIMIT ;Pc;J4ICZe~44(B DxL# yP -28 DB2SEC_PLUGIN_NO_LICENSES e~v=KC'mI$Jb#I\ WczFmI$Qo=^F# yP -29 DB2SEC_PLUGIN_ROOT_NEEDED e~"TKPh* root C'X( D&CLr# yP -30 DB2SEC_PLUGIN_UNEXPECTED_ SYSTEM_ERROR e~v=bb53ms#1053 dCI\;\'V# yP kT2+e~Dms{"&m 12+e~ API "zms1,K API aZ errormsg VNP5X;v ASCII D>V {.,|H5Xk\TJba)|_eDhv# }g,errormsg V{.PIT|, "File /home/db2inst1/mypasswd.txt does not exist." DB2 +QKV{.j{X4k DB2 \m(*U>,Z3) SQL {"P9+ |,KV{.DWNf>w*;vjG#r* SQL {"PDjGv$H\=^F,y T&9b){"#VHOL,"Rb){"DITDdDX*?V&;ZCV{.D 0K#*KozwT,ID~P#}g: // Log an message indicate init successful (*(logMessage_fn))(DB2SEC_LOG_CRITICAL, "db2secGroupPluginInit successful", strlen("db2secGroupPluginInit successful")); PX db2secLogMessage /}D?vN}D|`j8E",kND?Ve~`MDu< / API# 2+e~ API DwC3r y]wC2+e~ API 1ivD;,,DB2 }]b\mwwC2+e~ API D3r aPd/# TBG DB2 }]b\mwZdPwC2+e~ API Dw*=8: v Z(~=MT=)}]b,SDM'zO – CLIENT – yZ~qw(SERVER"SERVER_ENCRYPT M DATA_ENCRYPT) – GSSAPI M Kerberos v Z>XZ(DM'z"~qwrxXO v Z}]b,SD~qwO v Z GRANT odD~qwO v Z*q!Z(j6ytiDPmD~qwO ":DB2 }]b~qwqM'z&CLr;y4T}h*>XZ(D}]bYw,}g db2start"db2stop M db2trc# TZOv?;nYw,DB2 }]b\mwwC2+e~ API D3rG;,D#TBG ZOv?V=8B DB2 }]b\mwwC API D3r# CLIENT - ~= 1C'dCDO$`M* CLIENT 1,DB2 M'z&CLr+wCBP2+e ~ API: v db2secGetDefaultLoginContext(); v db2secValidatePassword(); v db2secFreetoken(); TZ~=O$,4,Z48(X(C'j6r\kDivBxP,S1,g{ z}Z9CC'j6/\ke~,G4+wC db2secValidatePassword API#K API Jme~*"_ZX*1{9~=O$# CLIENT - T= ZT=O$1,4,Z,18(KC'j6M\kDivB,SA}]b1, Z 8 B 2+e~ 219 g{ authentication }]b\mwdCN}hC* CLIENT,G4 DB2 M' z&CLr+`NwCBP2+e~ API(g{5V*sbyv): v db2secRemapUserid(); v db2secValidatePassword(); v db2secFreeToken(); yZ~qw(SERVER"SERVER_ENCRYPT M DATA_ENCRYPT)- ~= Z~=O$1,1M'zM~qw-LC'j6/\kO$(}g,1~qw PD srvcon_auth N}hC* SERVER"SERVER_ENCRYPT"DATA_ENCRYPT r DATA_ENCRYPT_CMP 1),M'z&CLr+wCBP2+e~ API: v db2secGetDefaultLoginContext(); v db2secFreeToken(); yZ~qw(SERVER"SERVER_ENCRYPT M DATA_ENCRYPT)- T= ZT=O$1,1M'zM~qw-LC'j6/\kO$(}g,1~qw PD srvcon_auth N}hC* SERVER"SERVER_ENCRYPT"DATA_ENCRYPT r DATA_ENCRYPT_CMP 1),M'z&CLr+wCBP2+e~ API: v db2secRemapUserid(); GSSAPI M Kerberos - ~= Z~=O$1,1M'zM~qw-L GSS-API r Kerberos O$(}g,1 ~qwPD srvcon_auth N}hC* KERBEROS"KRB_SERVER_ENCRYPT" GSSPLUGIN r GSS_SERVER_ENCRYPT 1),M'z&CLr+wCBP2+e~ API#(wC gss_init_sec_context() 19C GSS_C_NO_CREDENTIAL w*d k>$#) v db2secGetDefaultLoginContext(); v db2secProcessServerPrincipalName(); v gss_init_sec_context(); v gss_release_buffer(); v gss_release_name(); v gss_delete_sec_context(); v db2secFreeToken(); hz`w GSS-API 'V,IT`NwC gss_init_sec_context()(g{5V*s byv)# GSSAPI M Kerberos - T= g{-LDO$`MG GSS-API r Kerberos,G4M'z&CLr+4TB3 rwC GSS-API e~DBP2+e~ API#}GmPyw,qrb) API + ,1CZ~=MT=O$# v db2secProcessServerPrincipalName(); v db2secGenerateInitialCred();(vJCZT=O$) v gss_init_sec_context(); v gss_release_buffer (); v gss_release_name(); v gss_release_cred(); v db2secFreeInitInfo(); 220 }]b2+T8O v gss_delete_sec_context(); v db2secFreeToken(); g{S~qw5XK`%O$nF"R5V2h*|,G4I\a`NwC gss_init_sec_context() API# Z>XZ(DM'z"~qwrxXO TZ>XZ(,y9CD DB2 |nawCBP2+e~ API: v db2secGetDefaultLoginContext(); v db2secGetGroupsForUser(); v db2secFreeToken(); v db2secFreeGroupList(); TZ“C'j6/\k”M GSS-API O$zF;vP'i{# C'j6/\kO$ bVO$+7(1!2+OBD(vJCZM'z)"i$\kM(I!)| D\k"7(x(DV{.Gqm>;vP'C'(vJCZ~qw)"Z+ M'zOa)DC'j6r\k"MA~qw.0^DKC'j6r\k(v JCZM'z)"5Xkx(C'`X*D DB2 Z(j6# GSS-API O$ bVO$+5VXhD GSS-API &\"7(1!2+OBD(vJCZM' K)"y]C'j6M\kzIu<>$"(I!)|D\k(vJCZM' K)"4(MS\2+>%T05Xkx( GSS-API 2+OBD`X*D DB2 Z(j6# TBPmT>hve~ API 19CDuoD(e# e~ ;vI/,0kDb,DB2 +0kCbTCJIC'`4DO$riI1Jq i/&\# ~=O$ Z48(C'j6r\kDivB,SA}]b# T=O$ Z,18(KC'j6M\kDivB,SA}]b# Authid ;vZ?j6,m>+}]bPD(^MX(ZhDvKri#ZZ?,DB2 authid ;*;*s4,dn!$H* 8 vV{(;c 8 vV{rndUq)# 10,DB2 h*ITC 7 ; ASCII m>DZ(j6"C'j6"\k"i{" {FUdMr{# >XZ( Z5VZ(D~qwrM'z>XxPDZ(,+liC'GqP(4P}K ,SA}]b.bDYw,}g,t/M#9}]b\mw,r*MXU DB2 zYr_|B}]b\mwdC# {FUd Im`C'iID/OrVi,dPD?vC'j6}|( Windows rM Kerberos r#}g,Z Windows r “usa.company.com”P , y PC' { < X k G ( ; D # } g , “user1@usa.company.com”#+G,m;vrPD,;vC'j6(}g, “user1@canada.company.com”)4m>m;vC'#j DB2 +*2+e~ API N}dk5# dv 8>2+e~ API +* API N}8(5# ilwe~D API TZilwe~#i,h*5VBP API: v db2secGroupPluginInit ":db2secGroupPluginInit API (}TB-M+8r API D8k *logMessage_fn w *dk: SQL_API_RC (SQL_API_FN db2secLogMessage) ( db2int32 level, void *data, db2int32 length ); db2secLogMessage API Jme~+{"G<= db2diag U>D~P,TcxPwT rN<#K API GI DB2 }]b53a)D,rKz;h*5VK API# v db2secPluginTerm v db2secGetGroupsForUser v db2secDoesGroupExist v db2secFreeGroupListMemory v db2secFreeErrormsg v (;h*Zb?IbvD API G db2secGroupPluginInit#K API +IC void * N},&+|?F`M*;*TB`M: typedef struct db2secGroupFunctions_1 { db2int32 version; db2int32 plugintype; SQL_API_RC (SQL_API_FN * db2secGetGroupsForUser) ( const char *authid, db2int32 authidlen, const char *userid, db2int32 useridlen, const char *usernamespace, db2int32 usernamespacelen, db2int32 usernamespacetype, const char *dbname, db2int32 dbnamelen, const void *token, db2int32 tokentype, db2int32 location, const char *authpluginname, db2int32 authpluginnamelen, void **grouplist, db2int32 *numgroups, char **errormsg, db2int32 *errormsglen ); SQL_API_RC (SQL_API_FN * db2secDoesGroupExist) ( const char *groupname, db2int32 groupnamelen, char **errormsg, 224 }]b2+T8O db2int32 *errormsglen ); SQL_API_RC (SQL_API_FN * db2secFreeGroupListMemory) ( void *ptr, char **errormsg, db2int32 *errormsglen ); SQL_API_RC (SQL_API_FN * db2secFreeErrormsg) ( char *msgtobefree ); SQL_API_RC (SQL_API_FN * db2secPluginTerm) ( char **errormsg, db2int32 *errormsglen ); } db2secGroupFunctions_1; db2secGroupPluginInit API 8(Kb?ICDd`/}DX7# ":_1 8>bGkf> 1 D API `T&Da9#sxSZf>D)9{+@N* _2"_3 HH# db2secDoesGroupExist API - liiGqfZ 7( authid Gqm>;vi# g{ groupname fZ,G4K API Xk\;5X5 DB2SEC_PLUGIN_OK T8>I & # g { i { ^ ' , G 4 | 9 X k \ ; 5 X 5 DB2SEC_PLUGIN_INVALIDUSERORGROUP#g{;\7(dkGqGP'Di, G4JmK API 5X5 DB2SEC_PLUGIN_GROUPSTATUSNOTKNOWN#g{5XK “ i ^ ' ”(DB2SEC_PLUGIN_INVALIDUSERORGROUP) r _ “ 4 * i ”(DB2SEC_PLUGIN_GROUPSTATUSNOTKNOWN) 5,G4Z;xX|V USER M GROUP DivB"v GRANT od1,DB2 for Linux, UNIX, and Windows I\^ (7( authid G;vi9GC',b+ errormsg N}PDms{"V{.$H(TVZF) D{}D8k# db2secFreeErrormsg API - MEms{"Zf MEC4fEONwC API yzzDms{"DZf#bG(;;a5Xms{"D API#g{K API 5XKms,G4 DB2 +G errormsg N}PDms{"V{.$H(TVZF) D{}D8k# db2secGetGroupsForUser API - q!C'DiPm 5XC'ytDiDPm# API M}]a9o( SQL_API_RC ( SQL_API_FN *db2secGetGroupsForUser) ( const char *authid, db2int32 authidlen, const char *userid, db2int32 useridlen, const char *usernamespace, db2int32 usernamespacelen, db2int32 usernamespacetype, const char *dbname, 226 }]b2+T8O db2int32 dbnamelen, void *token, db2int32 tokentype, db2int32 location, const char *authpluginname, db2int32 authpluginnamelen, void **grouplist, db2int32 *numgroups, char **errormsg, db2int32 *errormsglen ); db2secGetGroupsForUser API N} authid dk#KN}5G;v SQL Z(j6,bb6E DB2 for Linux, UNIX, and Windows a+|*;*;x2?UqDs4V{.#DB2 for Linux, UNIX, and Windows wbPD“9C5w”?V# authidlen dk#authid N}5D$H(TVZF)#DB2 }]b\mwIO$e~a)D}]D`M#g{9CDO$e~yZ GSS- API,G4nF+hC* GSS-API OBDdz (gss_ctx_id_t)#g{9CDO $e~GyZ“C'j6/\k”De~,G4|+G(C`M#tokentype N} _PBPP'5(|GGZ db2secPlugin.h P(eD): v DB2SEC_GENERIC:8>nF4TZyZC'j6/\kDe~# v DB2SEC_GSSAPI_CTX_HANDLE:8>nF4TZyZ GSS-API(|( Kerberos) De~# location dk#8> DB2 for Linux, UNIX, and Windows GZM'K9G~qwKw CK API#location N}_PBPP'5(|GGZ db2secPlugin.h P(e D): v DB2SEC_SERVER_SIDE:m>*Z}]b~qwOwCK API# v DB2SEC_CLIENT_SIDE:m>*ZM'zOwCK API# authpluginname dk#a)KnFPD}]DO$e~D{F#db2secGetGroupsForUser API I \a9CKE"47(}7DiI1Jq#g{4O$ authid(}g,Z authid k10,SDC';%dDivB),G4 DB2 for Linux, UNIX, and Windows M;andKN}# authpluginnamelen dk#authpluginname N}5D$H(TVZF)# grouplist dv#C'ytDiDPm#iDPmXkw*;v8k5X,C8k8rI |,`v"C varchar De~VdDZf,N(varchar G;vV{}i,dP DZ;vVZ8>|sf_PDVZ})#$HG;v^{E}(1 vVZ), "+ groupname Dns$H^F* 255 vV{#}g,“\006GROUP1\ 007MYGROUP\008MYGROUP3”#?vi{<&CG;vP'D DB2 Z(j 6#XkIe~*K}iVdZf#rK,e~Xka);v API(}g, db2secFreeGroupListMemory API)) DB2 for Linux, UNIX, and Windows w CTMEZf# numgroups dv#grouplist N}P|,DiD}?# 228 }]b2+T8O errormsg dv#8rIe~VdD ASCII ms{"V{.X7D8k,g{4P db2secGetGroupsForUser API ;I&,Ma5XKms{"# errormsglen dv#8r;vCZ8> errormsg N}PDms{"V{.$H(TVZF) D{}D8k# 9C5w TBPm5w1K API +;j{DiPm5Xx DB2 for Linux, UNIX, and Win- dows 1Ma"zJbDwViv: v Z CREATE SCHEMA odPa)K8C(^#g{ CREATE SCHEMA odP6 WK CREATE od,G4+T AUTHORIZATION NAME N}4PiiR# v Z MPP 73P&m JAR D~#Z MPP 73P,JAR &mksG(}a0Z(j 6S-wLrZcP"MD#?#db2secPlugin.h PD DB2SEC_API_VERSION 5|, DB2 }]b\mw10'VD API DnBf> E# group_fns d v # 8 r db2secGroupFunctions_( 2 F * group_functions_)a9D8k# Z 9 B 2+e~ API 229 db2secGroupFunctions_ a9|,8r*ilwe~5VD API D 8 k # + 4 I \ P ; , f > D API( } g , db2secGroupFunctions_),rK,group_fns N};?F`M * ; * 8 r k e ~ Q 5 V D f > ` T & D db2secGroupFunctions_ a 9 D 8 k # group_functions_ a9DZ;vN}+T DB2 for Linux, UNIX, and Windows f*e~Q5VD API Df>#"b:v1 DB2 f>_ZrH Ze~Q5VD API f>1EaxP?F`M*;#f>Em>Ie~5VD API Df>,"R pluginType &hC* DB2SEC_PLUGIN_TYPE_GROUP# logMessage_fn dk#8rI DB2 }]b535VD db2secLogMessage API D8k# db2secGroupPluginInit API ITwC db2secLogMessage API T+{"G<= db2diag U>D~P,TcxPwTr_)zN<#db2secLogMessage API D Z;vN} (level) 8(+GD~PDoOmsD`M,n s=vN}Vpm>{"V{.0d$H#db2secLogMessage API DZ;vN }_PBPP'5(|GGZ db2secPlugin.h P(eD): v DB2SEC_LOG_NONE: (0) ;G< v DB2SEC_LOG_CRITICAL: (1) ~qw"zms v DB2SEC_LOG_ERROR: (2) "zms v DB2SEC_LOG_WARNING: (3) /f v DB2SEC_LOG_INFO: (4) N< v1 db2secLogMessage API D level N}D5!ZrHZ diaglevel }] b\mwdCN}D51,{"D>EavVZ db2diag U>D~P#}g, g{9C DB2SEC_LOG_INFO 5,G4v1}]b\mwdCN} diaglevel h C* 4 1,db2diag U>D~PEavV{"D># errormsg dv#8rIe~VdD ASCII ms{"V{.X7D8k,g{4P db2secGroupPluginInit API ;I&,Ma5XKms{"# errormsglen dv#8r;vCZ8> errormsg N}PDms{"V{.$H(TVZF) D{}D8k# db2secPluginTerm - e}ie~J4 MEilwe~y9CDJ4# DB2 }]b\mw+Z6Xilwe~.0wCK API#&CTby;V==45V |:|+}7e}e~b5PDNNJ4,}g,MEIe~VdDNNZf,XU T&Zr*4,DD~"XUxg,S#e~:pzYb)J4TcMEb)J4# ZNN Windows Yw53O<;awCK API# API M}]a9o( SQL_API_RC ( SQL_API_FN *db2secPluginTerm) ( char **errormsg, db2int32 *errormsglen ); 230 }]b2+T8O db2secPluginTerm API N} errormsg dv#8rIe~VdD ASCII ms{"V{.X7D8k,g{4P db2secPluginTerm API ;I&,Ma5XKms{"# errormsglen dv#8r;vCZ8> errormsg N}PDms{"V{.$H(TVZF) D{}D8k# C'j6/\kO$e~D API TZC'j6/\ke~#i,h*5VBPM'K API: v db2secClientAuthPluginInit ":db2secClientAuthPluginInit API (}TB-M+ API D8k *logMessage_fn w *dk: SQL_API_RC (SQL_API_FN db2secLogMessage) ( db2int32 level, void *data, db2int32 length ); db2secLogMessage API Jme~+{"G<= db2diag U>D~P,TcxPwT r_)zN<#K API I DB2 }]b53a),rKz;h*5VK API# v db2secClientAuthPluginTerm v db2secGenerateInitialCred(vCZ gssapi) v db2secRemapUserid(I!) v db2secGetDefaultLoginContext v db2secValidatePassword v db2secProcessServerPrincipalName(bvJCZ GSS-API) v db2secFreeToken(CZME DLL ); OM_uint32 (SQL_API_FN * gss_delete_sec_context )(); OM_uint32 (SQL_API_FN * gss_display_status )(); OM_uint32 (SQL_API_FN * gss_release_buffer )(); OM_uint32 (SQL_API_FN * gss_release_cred )(); OM_uint32 (SQL_API_FN * gss_release_name )(); } g { z } Z ` 4 C ' j 6 / \ k e ~ , G 4 & 9 C db2secUseridPasswordClientAuthFunctions_1 a9#g{z}Z`4 GSS-API(|( Kerberos)e~,G4&9C db2secGssapiClientAuthFunctions_1 a9# TZC'j6/\ke~b,+h*5VBP~qwK API: v db2secServerAuthPluginInit db2secServerAuthPluginInit API (}BP-M+ db2secLogMessage API D8k *logMessage_fn T0 db2secGetConDetails API D8k *getConDetails_fn w*d k: SQL_API_RC (SQL_API_FN db2secLogMessage) ( db2int32 level, void *data, db2int32 length ); SQL_API_RC (SQL_API_FN db2secGetConDetails) ( db2int32 conDetailsVersion, const void *pConDetails ); db2secLogMessage API Jme~+{"G<= db2diag U>D~P,TcxPwT r_)zN<#db2secGetConDetails API Jme~q!PX+"T("}]b,SD M'zDj8E"#db2secLogMessage API M db2secGetConDetails API API Df># ":9C db2sec_con_details_1"db2sec_con_details_2 r db2sec_con_details_3 1,& ); SQL_API_RC (SQL_API_FN * db2secGetAuthIDs)(); SQL_API_RC (SQL_API_FN * db2secFreeToken)(); SQL_API_RC (SQL_API_FN * db2secFreeErrormsg)(); SQL_API_RC (SQL_API_FN * db2secServerAuthPluginTerm)(); } userid_password_server_auth_functions; r_ typedef struct db2secGssapiServerAuthFunctions_1 { db2int32 version; db2int32 plugintype; gss_buffer_desc serverPrincipalName; gss_cred_id_t ServerCredHandle; SQL_API_RC (SQL_API_FN * db2secGetAuthIDs)(); SQL_API_RC (SQL_API_FN * db2secFreeErrormsg)(); SQL_API_RC (SQL_API_FN * db2secServerAuthPluginTerm)(); /* GSS-API specific functions refer to db2secPlugin.h for parameter list*/ OM_uint32 (SQL_API_FN * gss_accept_sec_context )(); OM_uint32 (SQL_API_FN * gss_display_name )(); OM_uint32 (SQL_API_FN * gss_delete_sec_context )(); OM_uint32 (SQL_API_FN * gss_display_status )(); OM_uint32 (SQL_API_FN * gss_release_buffer )(); OM_uint32 (SQL_API_FN * gss_release_cred )(); OM_uint32 (SQL_API_FN * gss_release_name )(); } gssapi_server_auth_functions; g { z } Z ` 4 C ' j 6 / \ k e ~ , G 4 & 9 C db2secUseridPasswordServerAuthFunctions_1 a9#g{z}Z`4 GSS-API(|( Kerberos)e~,G4&9C db2secGssapiServerAuthFunctions_1 a9# db2secClientAuthPluginInit API - u dk#DB2 }]b\mw10'VD API Dn_f>E#db2secPlugin.h PD DB2SEC_API_VERSION 5|, DB2 for Linux, UNIX, and Windows 10'VD API DnBf>E# client_fns dv#g{9CK GSS-API O$,G4KN}m>8r DB2 }]b\mw* db2secGssapiClientAuthFunctions_ a9(2F* gssapi_client_auth_functions_)a)DZfD8k;g{9CK“ C ' j 6 / \ k ” O $ , G 4 K N } m > 8 r DB2 } ] b \ m w * db2secUseridPasswordClientAuthFunctions_ a9(2F* userid_password_client_auth_functions_)a)DZfD8k# db2secGssapiClientAuthFunctions_ a 9 M db2secUseridPasswordClientAuthFunctions_ a9Vp|,8r* GSS- API O$e~M“C'j6/\k”O$e~5VD API D8k#Z+4D DB2 for Linux, UNIX, and Windows f>P,I\aP;,f>D API,rK client_fns N } ; ? F ` M * ; * 8 r k e ~ Q 5 V D f > ` T & D gssapi_client_auth_functions_ a9D8k# gssapi_client_auth_functions_ a 9 r userid_password_client_auth_functions_ a9DZ;vN}+Qe~ Q5VD API Df>f*x DB2 }]b\mw# ":v1 DB2 f>_ZrHZe~Q5VD API f>1EaxP?F`M*;# Z gssapi_server_auth_functions_ r userid_password_server_auth_functions_ a9P,&+ plugintype N}hC* DB2SEC_PLUGIN_TYPE_USERID_PASSWORD"DB2SEC_PLUGIN_TYPE_GSSAPI r DB2SEC_PLUGIN_TYPE_KERBEROS#ITZ+4D API f>P(ed{5# logMessage_fn dk#8rI DB2 }]b\mw5VD db2secLogMessage API D8k# db2secClientAuthPluginInit API ITwC db2secLogMessage API T+{"G<= db2diag U>D~P,TcxPwTr_)zN<#db2secLogMessage API DZ; vN} (level) 8(+GD~PDoOmsD`M,ns=vN }Vpm>{"V{.0d$H#db2secLogMessage API DZ;vN}_PBPP '5(|GGZ db2secPlugin.h P(eD): v DB2SEC_LOG_NONE (0) ;G< v DB2SEC_LOG_CRITICAL (1) "zOXms v DB2SEC_LOG_ERROR (2) "zms v DB2SEC_LOG_WARNING (3) /f v DB2SEC_LOG_INFO (4) N< v1 db2secLogMessage API D“level”N}D5!ZrHZ diaglevel }]b\m wdCN}D51,{"D>EavVZ db2diag U>D~P#}g,g{9C DB2SEC_LOG_INFO 5,G4v1}]b\mwdCN} diaglevel hC* 4 1, db2diag U>D~PEavV{"D># Z 9 B 2+e~ API 237 errormsg dv#8rIe~VdD ASCII ms{"V{.X7D8k,g{4P db2secClientAuthPluginInit API ;I&,Ma5XKms{"# errormsglen dv#8r;vCZ8> errormsg N}PDms{"V{.$H(TVZF)D {}D8k# db2secClientAuthPluginTerm API - e}M'zO$e~J4 MEM'zO$e~y9CDJ4# DB2 }]b\mw+Z6XM'zO$e~.0wCK API#&CTby;V==45 V|:|+}7e}e~b5PDNNJ4,}g,MEIe~VdDNNZf,X UT&Zr*4,DD~"XUxg,S#e~:pzYb)J4TcMEb)J 4#ZNN Windows Yw53O<;awCK API# API M}]a9o( SQL_API_RC ( SQL_API_FN *db2secClientAuthPluginTerm) ( char **errormsg, db2int32 *errormsglen); db2secClientAuthPluginTerm API N} errormsg dv#8rIe~VdD ASCII ms{"V{.X7D8k,g{4P db2secClientAuthPluginTerm API ;I&,Ma5XKms{"# errormsglen dv#8r;vCZ8> errormsg N}PDms{"V{.$H(TVZF)D {}D8k# db2secDoesAuthIDExist - liO$j6GqfZ 7( authid Gqm>%vC'(}g,API IT+ authid 3dAb?C'j6)# g{ authid P',G4K API &5X5 DB2SEC_PLUGIN_OK;g{ authid ^',G 4K API &5X DB2SEC_PLUGIN_INVALID_USERORGROUP;g{;\7( authid Gq fZ,G4K API &5X DB2SEC_PLUGIN_USERSTATUSNOTKNOWN# API M}]a9o( SQL_API_RC ( SQL_API_FN *db2secDoesAuthIDExist) ( const char *authid, db2int32 authidlen, char **errormsg, db2int32 *errormsglen ); db2secDoesAuthIDExist API N} authid dk#*i$DZ(j6#Kj6ICs4,"R;P2?Uq# authidlen dk#authid N}5D$H(TVZF)# 238 }]b2+T8O errormsg dv#8rIe~VdD ASCII ms{"V{.X7D8k,g{4P db2secDoesAuthIDExist API ;I&,Ma5XKms{"# errormsglen dv#8r;vCZ8> errormsg N}PDms{"V{.$HD{}D8k# db2secFreeInitInfo API - e}I db2secGenerateInitialCred < CDJ4 MEI db2secGenerateInitialCred API VdDNNJ4#b)J4IT|(WczFO BDDdzr_* GSS-API >$_Y:f4(D>$_Y:f# API M}]a9o( SQL_API_RC ( SQL_API_FN *db2secFreeInitInfo) ( void *initinfo, char **errormsg, db2int32 *errormsglen); db2secFreeInitInfo API N} initinfo dk#8r DB2 }]b\mw;*@D}]D8k#e~IT9CKZf4,$Z zI>$dz}LPyVdDJ4DPm#(}wCK API 4MEb)J4# errormsg dv#8rIe~VdD ASCII ms{"V{.X7D8k,g{4P db2secFreeInitInfo API ;I&,Ma5XKms{"# errormsglen dv#8r;vCZ8> errormsg N}PDms{"V{.$H(TVZF)D {}D8k# db2secFreeToken API - MEIjG errormsg N}PDms{"V{.$H(TVZF)D {}D8k# Z 9 B 2+e~ API 239 db2secGenerateInitialCred API - zIu<>$ db2secGenerateInitialCred API y]Q+kDC'j6M\k4q!u< GSS-API >$# TZ Kerberos,bGZh>%D>%(TGT)#pGSSCredHandle N}P5XD>$dz Gk gss_init_sec_context API dO9CDdz,"RXkG INITIATE r BOTH >$# v1a)KC'j6(9I\a)K\k)1EawC db2secGenerateInitialCred API# qr,wC gss_init_sec_context API 1,DB2 }]b\mw+8(5 GSS_C_NO_CREDENTIAL,Tm>+9CS10G$# API M}]a9o( SQL_API_RC ( SQL_API_FN *db2secGenerateInitialCred) ( const char *userid, db2int32 useridlen, const char *usernamespace, db2int32 usernamespacelen, db2int32 usernamespacetype, const char *password, db2int32 passwordlen, const char *newpassword, db2int32 newpasswordlen, const char *dbname, db2int32 dbnamelen, gss_cred_id_t *pGSSCredHandle, void **InitInfo, char **errormsg, db2int32 *errormsglen ); db2secGenerateInitialCred API N} userid dk#*Z}]b~qwOi$d\kDC'j6# useridlen dk#userid N}5D$H(TVZF)# usernamespace dk#SdPqCC'j6D{FUd# usernamespacelen dk#usernamespace N}5D$H(TVZF)# usernamespacetype dk#{FUdD`M# password dk#*i$D\k# passwordlen dk#password N}5D$H(TVZF)# newpassword dk#;vB\k(g{*|D\k)#g{4ks|D\k,G4 newpassword N}+hC* NULL#g{|;* NULL,G4K API Z+I\khC*B\k .0&i$I\k#K API "GXkjI|D\kDks,+Gg{4jIKk s,G4&"45X5 DB2SEC_PLUGIN_CHANGEPASSWORD_NOTSUPPORTED x;i$I \k# 240 }]b2+T8O newpasswordlen dk#newpassword N}5D$H(TVZF)# dbname dk#*,SAD}]bD{F#K API ITvTKN},g{K API _P^F C ' C J 3 ) } ] b D _ T , G 4 | I T 5 X 5 DB2SEC_PLUGIN_CONNECTION_DISALLOWED;qrb)C'+_PP'\k# dbnamelen dk#dbname N}5D$H(TVZF)# pGSSCredHandle dv#8r GSS-API >$dzD8k# InitInfo dv#8r DB2 for Linux, UNIX, and Windows ;*@D}]D8k#e~IT 9CKZf4,$ZzI>$dz}LPyVdDJ4DPm#O$}Lax1, DB2 }]b\mw+wC db2secFreeInitInfo API,K1+MEb)J4#g{ db2secGenerateInitialCred API ;h*,$by;vPm,G4|&C5X NULL# errormsg dv#8rIe~VdD ASCII ms{"V{.X7D8k,g{4P db2secGenerateInitialCred API ;I&,Ma5XKms{"# ":TZK API,g{5X58>msDC'j6r\k,G4;&4(ms{"# v1K API P"zK;vZ?msSxh9|}7jI1,E&5X;ums{ "# errormsglen dv#8r;vCZ8> errormsg N}PDms{"V{.$H(TVZF)D {}D8k# db2secGetAuthIDs API - q!O$j6 5XQO$DC'D SQL Z(j6#TZ“C'j6/\k”M GSS-API O$=(,Z ("}]b,SZd<+wCK API# API M}]a9o( SQL_API_RC ( SQL_API_FN *db2secGetAuthIDs) ( const char *userid, db2int32 useridlen, const char *usernamespace, db2int32 usernamespacelen, db2int32 usernamespacetype, const char *dbname, db2int32 dbnamelen, void **token, char SystemAuthID[DB2SEC_MAX_AUTHID_LENGTH], db2int32 *SystemAuthIDlen, char InitialSessionAuthID[DB2SEC_MAX_AUTHID_LENGTH], db2int32 *InitialSessionAuthIDlen, char username[DB2SEC_MAX_USERID_LENGTH], db2int32 *usernamelen, db2int32 *initsessionidtype, char **errormsg, db2int32 *errormsglen ); Z 9 B 2+e~ API 241 db2secGetAuthIDs API N} userid dk#QO$DC'#}G(eKIEOBDTJm4PP;C'Ywx^hxP O$,qr,(#;a+KN}CZ GSS-API O$#ZKivB,a+*P;C' ksa)DC'{+]=KN}P# useridlen dk#userid N}5D$H(TVZF)# usernamespace dk#SdPqCC'j6D{FUd# usernamespacelen dk#usernamespace N}5D$H(TVZF)# usernamespacetype d k # { F U d ` M 5 # ? 0 , ( ; \ ' V D { F U d ` M 5 G DB2SEC_NAMESPACE_SAM_COMPATIBLE(T&`FZ domain\myname DC'{y=)# dbname dk#*,SAD}]bD{F#K API ITvTKN};1,;C',SA;, }]b1,K API IT5X;,DZ(j6#KN}IT* NULL# dbnamelen dk#dbname N}5D$H(TVZF)#g{ dbname N}* NULL,G4KN }hC* 0# token dkrdv#e~ITr db2secGetGroupsForUser API +]D}]#TZ GSS- API,bGOBDdz (gss_ctx_id_t)#(#,token G;v“vdk”N},|D5 GS db2secValidatePassword API Pq!D#1ZM'zOxPO$"rKx4w C db2secValidatePassword API 1,KN}2ITGdvN}#Z(eKIEOB D D 7 3 P , g { C O B D J m 4 P P ; C ' Y w x ^ h O $ , G 4 db2secGetAuthIDs API Xk\;S\K token N}D5* NULL,"R\;y]H 0a=D userid M useridlen dkN}4Iz53Z(j6# SystemAuthID dv#kQO$DC'Dj6`T&D53Z(j6#ds!* 255 vVZ,+G DB2 }]b\mw10v9Cn$* 30 vVZD53Z(j6# SystemAuthIDlen dv#SystemAuthID N}5D$H(TVZF)# InitialSessionAuthID dv#CZK,Sa0DZ(j6#|(#k SystemAuthID N}5`,,+GZ 3)ivBIT;`,,}g,"v SET SESSION AUTHORIZATION od1M IT;`,#ds!* 255 vVZ,+G DB2 }]b\mw10v9Cn$* 30 vVZD53Z(j6# InitialSessionAuthIDlen dv#InitialSessionAuthID N}5D$H(TVZF)# username dv#kQO$DC'MZ(j6`T&DC'{#b+vCZsF,"R+G< 242 }]b2+T8O Z CONNECT odDsFG InitialSessionAuthid N}G;vG+9GZ(j 6#K API &5XBPdP;v5(b)5GZ db2secPlugin.h P(eD): v DB2SEC_ID_TYPE_AUTHID (0) v DB2SEC_ID_TYPE_ROLE (1) errormsg dv#8rIe~VdD ASCII ms{"V{.X7D8k,g{4P db2secGetAuthIDs API ;I&,Ma5XKms{"# errormsglen dv#8r;vCZ8> errormsg N}PDms{"V{.$H(TVZF)D {}D8k# db2secGetDefaultLoginContext API - q!1!GXZ()DivBwC DB2 |nDC'D DB2 Z(j6# K API Xk,15XZ(j6MC'j6# API M}]a9o( SQL_API_RC ( SQL_API_FN *db2secGetDefaultLoginContext) ( char authid[DB2SEC_MAX_AUTHID_LENGTH], db2int32 *authidlen, char userid[DB2SEC_MAX_USERID_LENGTH], db2int32 *useridlen, db2int32 useridtype, char usernamespace[DB2SEC_MAX_USERNAMESPACE_LENGTH], db2int32 *usernamespacelen, db2int32 *usernamespacetype, const char *dbname, db2int32 dbnamelen, void **token, char **errormsg, db2int32 *errormsglen ); db2secGetDefaultLoginContext API N} authid dv#&5XZ(j6DN}#5XD5Xk{O DB2 Z(j6D|{fr,qr +;aZ(C'4PyksDYw# authidlen dv#authid N}5D$H(TVZF)# userid dv#&5Xk1!1!G8(DG5C'j6# DB2SEC_PLUGIN_EFFECTIVE_USER_NAME 8>8(DGP'C'j6# ":3)e~5VI\";xV5C'j6MP'C'j6#XpG,;9C C'D UNIX r Linux m]4(" DB2 Z(j6De~IT2+XvTKn p# usernamespace dv#C'j6D{FUd# usernamespacelen dv#usernamespace N}5D$H(TVZF)#IZfZ usernamespacetype N}XkhC*5 DB2SEC_NAMESPACE_SAM_COMPATIBLE(K5GZ db2secPlugin.h P(eD)b;V^T,rK10'VDns$H* 15 VZ# usernamespacetype d v # { F U d ` M 5 # ? 0 , ( ; \ ' V D { F U d ` M G DB2SEC_NAMESPACE_SAM_COMPATIBLE(T&`FZ domain\myname DC'{y=)# dbname dk#|,*,SAD}]bD{F(g{Z}]b,SOBDP9CKwC)# TZ>XZ(Ywr5},S,KN}hC* NULL# dbnamelen dk#dbname N}5D$H(TVZF)# token dv#bG;v8rIe~VdD}]D8k,xK}]I\a;+]xCe~P DsxO$wC,2PI\;+]xilwe~#K}]Da9Ie~`4_7 (# errormsg dv#8rIe~VdD ASCII ms{"V{.X7D8k,g{4P db2secGetDefaultLoginContext API ;I&,Ma5XKms{"# errormsglen dv#8r;vCZ8> errormsg N}PDms{"V{.$H(TVZF)D {}D8k# db2secProcessServerPrincipalName API - &mS~qw5XD ~qwe{F db2secProcessServerPrincipalName API &mS~qw5XD~qwe{F,"4 gss_name_t Z?q=5X*T gss_init_sec_context API 9CDwe{F# 244 }]b2+T8O 9C Kerberos O$1,db2secProcessServerPrincipalName API 9a&m9C}]b? <`?D~qwe{F#(#,K*;9C gss_import_name API#("OBD.s, +(}wC gss_release_name API 4ME gss_name_t Ts#g{ gssName N}8r P'D GSS {F,G4 db2secProcessServerPrincipalName API +5X5 DB2SEC_PLUGIN_OK;g{we{F^',G4+5X DB2SEC_PLUGIN_BAD_PRINCIPAL_NAME mszk# API M}]a9o( SQL_API_RC ( SQL_API_FN *db2secProcessServerPrincipalName) ( const char *name, db2int32 namelen, gss_name_t *gssName, char **errormsg, db2int32 *errormsglen ); db2secProcessServerPrincipalName API N} name dk#IC GSS_C_NT_USER_NAME q=D~qweDD>{F;}g,service/ host@REALM# namelen dk#name N}5D$H(TVZF)# gssName dv#8rIC GSS-API Z?q=Ddv~qwe{FD8k# errormsg dv#8rIe~VdD ASCII ms{"V{.X7D8k,g{4P db2secProcessServerPrincipalName API ;I&,Ma5XKms{"# errormsglen dv#8r;vCZ8> errormsg N}PDms{"V{.$H(TVZF)D {}D8k# db2secRemapUserid API - XB3dC'j6M\k M'KD DB2 }]b\mwwCK API +x(DC'j6M\k(I\GB\kMC '{FUd)XB3dAk,S1x(DG)5;`,D5# v1Z,S1a)KC'j6M\k1,DB2 }]b\mwEaZM'KwCK API# b+@9e~+C'j6>mXB3dAC'j6/\kT#K API GI!D#g{| ;GI2+e~a)r5VD,G4M;awCK API# API M}]a9o( SQL_API_RC ( SQL_API_FN *db2secRemapUserid) ( char userid[DB2SEC_MAX_USERID_LENGTH], db2int32 *useridlen, char usernamespace[DB2SEC_MAX_USERNAMESPACE_LENGTH], db2int32 *usernamespacelen, db2int32 *usernamespacetype, char password[DB2SEC_MAX_PASSWORD_LENGTH], db2int32 *passwordlen, char newpasswd[DB2SEC_MAX_PASSWORD_LENGTH], db2int32 *newpasswdlen, const char *dbname, Z 9 B 2+e~ API 245 db2int32 dbnamelen, char **errormsg, db2int32 *errormsglen); db2secRemapUserid API N} userid dkrdv#*XB3dDC'j6#g{PdkC'j65,G4K API Xka );vdvC'j65,KdvC'j65IkCdkC'j65`,r;,#g {;PdkC'j65,G4K API ;&5XdvC'j65# useridlen dkrdv#userid N}5D$H(TVZF)# usernamespace dkrdv#C'j6D{FUd#(I!)ITXB3dK5#g{;P8(d kN}5,+G5XKdv5,G4 DB2 }]b\mw+;Q usernamespace C Z CLIENT `MO$,TZd{O$`M errormsg N}PDms{"V{.$H(TVZF)D {}D8k# db2secServerAuthPluginInit - u $ d z # X k I db2secServerAuthPluginTerm API (}wC gss_release_name M gss_release_cred b= v API 4MEQVdDCZfEwe{FM>$dzDZf# API M}]a9o( SQL_API_RC SQL_API_FN db2secServerAuthPluginInit ( db2int32 version, void *server_fns, db2secGetConDetails *getConDetails_fn, db2secLogMessage *logMessage_fn, char **errormsg, db2int32 *errormsglen ); db2secServerAuthPluginInit API N} version dk#DB2 }]b\mw10'VD API Dn_f>E#db2secPlugin.h PD DB2SEC_API_VERSION 5|, DB2 }]b\mw10'VD API DnBf>E# server_fns dv#g{9CK GSS-API O$,G4KN}m>8r DB2 }]b\mw* db2secGssapiServerAuthFunctions_ a9(2F* gssapi_server_auth_functions_)a)DZfD8k;g{9CK“ C ' j 6 / \ k ” O $ , G 4 K N } m > 8 r DB2 } ] b \ m w * db2secUseridPasswordServerAuthFunctions_ a9(2F* userid_password_server_auth_functions_)a)DZfD8k# db2secGssapiServerAuthFunctions_ a 9 M db2secUseridPasswordServerAuthFunctions_ a9Vp|,8r* GSS- API O$e~M“C'j6/\k”O$e~5VD API D8k# server_fns N } ; ? F ` M * ; * 8 r k e ~ Q 5 V D f > ` T & D gssapi_server_auth_functions_ a 9 D 8 k # gssapi_server_auth_functions_ a 9 r userid_password_server_auth_functions_ a9DZ;vN}+Qe~ Q5VD API Df>f*x DB2 }]b\mw# ":v1 DB2 f>_ZrHZe~Q5VD API f>1EaxP?F`M*;# Z gssapi_server_auth_functions_ r userid_password_server_auth_functions_ a9P,&+ plugintype Z 9 B 2+e~ API 247 N}hC* DB2SEC_PLUGIN_TYPE_USERID_PASSWORD"DB2SEC_PLUGIN_TYPE_GSSAPI r DB2SEC_PLUGIN_TYPE_KERBEROS#ITZ+4D API f>P(ed{5# getConDetails_fn d k # 8 r I DB2 5 V D db2secGetConDetails API D 8 k # db2secServerAuthPluginInit API ITwCd{NN;vO$ API PD db2secGetConDetails API,Tq!k}]b,S`XDj8E"#b)j8E"|( PXk,S`X*D(EzFDE"(}g,Z9C TCP/IP -i1D IP X7), e~`4_ZwvO$v(1I\h*N a 9 D 8 k ; m ; v N }G conDetailsVersion,|G;vf>E,CZ8>*9CDv db2sec_con_details a 9#19C db2sec_con_details1 1,d5* DB2SEC_CON_DETAILS_VERSION_1,19 C db2sec_con_details2 1,d5* DB2SEC_CON_DETAILS_VERSION_2#(i9CDf >EG DB2SEC_CON_DETAILS_VERSION_2# 1I&5X1,db2sec_con_details a9(db2sec_con_details1 r db2sec_con_details2) +|,TBE": v CZ,SA~qwD-i#ITZ;Z|, include ?k~qwDk>,SD TCP/IP X7#KE"GZ clientIPAddress N}PndD# v M'zZ"T,SAD}]b{F#xP5},S1;ahCKE"#KE" GZ dbname M dbnameLen N}PndD# v ,SE";<,||,k db2secValidatePassword API D connection_details N }P5wD`,Dj8E"#KE"GZ connect_info_bitmap N}PndD# v g{ clientProtocol * SQL_PROTOCOL_TCPIP6,G4KN}m>k~qwDk >,SD TCP/IP X7#KE"GZ clientIP6Address N}PndD,v1 DB2SEC_CON_DETAILS_VERSION_2 CZ db2secGetConDetails API wC1Eaa) KE"# logMessage_fn dk#8rI DB2 }]b\mw5VD db2secLogMessage API D8k# db2secClientAuthPluginInit API ITwC db2secLogMessage API T+{"G<= db2diag U>D~P,TcxPwTr_)zN<#db2secLogMessage API DZ; vN} (level) 8(+GD~PDoOmsD`M,ns=vN }Vpm>{"V{.0d$H#db2secLogMessage API DZ;vN}_PBPP '5(|GGZ db2secPlugin.h P(eD): v DB2SEC_LOG_NONE (0):;G< v DB2SEC_LOG_CRITICAL (1):"zOXms v DB2SEC_LOG_ERROR (2):"zms 248 }]b2+T8O v DB2SEC_LOG_WARNING (3):/f v DB2SEC_LOG_INFO (4):N< v1 db2secLogMessage API D level N}D5!ZrHZ diaglevel }]b\ mwdCN}D51,{"D>EavVZ db2diag U>D~P# }g,g{9C DB2SEC_LOG_INFO 5,G4v1}]b\mwdCN} diaglevel hC* 4 1,db2diag U>D~PEavV{"D># errormsg dv#8rIe~VdD ASCII ms{"V{.X7D8k,g{4P db2secServerAuthPluginInit API ;I&,Ma5XKms{"# errormsglen dv#8r;vCZ8> errormsg N}PDms{"V{.$H(TVZF)D {}D8k# db2secServerAuthPluginTerm API - e}~qwO$e~J4 db2secServerAuthPluginTerm API ME~qwO$e~y9CDJ4# DB2 }]b\mw+Z6X~qwO$e~.0wCK API#&CTby;V==45 V|:|+}7e}e~b5PDNNJ4,}g,MEIe~VdDNNZf,X UT&Zr*4,DD~"XUxg,S#e~:pzYb)J4TcMEb)J 4#ZNN Windows Yw53O<;awCK API# API M}]a9o( SQL_API_RC ( SQL_API_FN *db2secServerAuthPluginTerm) ( char **errormsg, db2int32 *errormsglen ); db2secServerAuthPluginTerm API N} errormsg dv#8rIe~VdD ASCII ms{"V{.X7D8k,g{4P db2secServerAuthPluginTerm API ;I&,Ma5XKms{"# errormsglen dv#8r;vCZ8> errormsg N}PDms{"V{.$H(TVZF)D {}D8k# db2secValidatePassword API - i$\k a);VZ}]b,SYwZd4PC'j6M\ky=O$D=(# ":ZM'KKPK API 1,+9C4P CONNECT odDC'DX(4KP API z k#v1 authentication dCN}hC* CLIENT 1EaZM'KwCK API# Z~qwKKPK API 1,+9C5}yP_DX(4KP API zk# g{O$h*XbX((}g,UNIX OD root C'6p53CJ(),G4e~`4 _&I&);g{\k^ ',G4K API Xk5Xmszk(}g DB2SEC_PLUGIN_BADPWD)# Z 9 B 2+e~ API 249 API M}]a9o( SQL_API_RC ( SQL_API_FN *db2secValidatePassword) ( const char *userid, db2int32 useridlen, const char *usernamespace, db2int32 usernamespacelen, db2int32 usernamespacetype, const char *password, db2int32 passwordlen, const char *newpasswd, db2int32 newpasswdlen, const char *dbname, db2int32 dbnamelen, db2Uint32 connection_details, void **token, char **errormsg, db2int32 *errormsglen ); db2secValidatePassword API N} userid dk#*i$d\kDC'j6# useridlen dk#userid N}5D$H(TVZF)# usernamespace dk#SdPqCC'j6D{FUd# usernamespacelen dk#usernamespace N}5D$H(TVZF)# usernamespacetype dk#{FUdD`M#usernamespacetype N}_PBPP'5(|GGZ db2secPlugin.h P(eD): v DB2SEC_NAMESPACE_SAM_COMPATIBLE T&Z;vy=`FZ domain\myname DC '{ v DB2SEC_NAMESPACE_USER_PRINCIPAL T &Z; v y = ` F Z myname@domain.ibm.com DC'{ ?0,DB2 }]b53v'V DB2SEC_NAMESPACE_SAM_COMPATIBLE 5#14a) C'j61,usernamespacetype N}hC*5 DB2SEC_USER_NAMESPACE_UNDEFINED (K5GZ db2secPlugin.h P(eD)# password dk#*i$D\k# passwordlen dk#password N}5D$H(TVZF)# newpasswd dk#;vB\k(g{*|D\k)#g{4ks|D\k,G4KN}hC* NULL#g{KN};* NULL,G4K API Z+I\k|D*B\k.0&i$ I\k#K API "GXkjI|D\kDks,+Gg{4jIKks,G4&" 45X5 DB2SEC_PLUGIN_CHANGEPASSWORD_NOTSUPPORTED x;i$I\k# newpasswdlen dk#newpasswd N}5D$H(TVZF)# 250 }]b2+T8O dbname dk#*,SAD}]bD{F#API ITvT dbname N},g{|_P^FC 'CJ3)}]bD_T,G4|IT5X5 DB2SEC_PLUGIN_CONNECTIONREFUSED; qrb)C'+_PP'\k#KN}IT* NULL# dbnamelen dk#dbname N}5D$H(TVZF)#g{ dbname N}* NULL,G4KN }hC* 0# connection_details dk#bG;v 32 ;N},109CdP 3 ;4f"TBE": v nR_D;;8>C'j6D4G db2secGetDefaultLoginContext API PD1! 5,9GZ,SZdT=a)D# v R_DZ~;8>,SG>X,S(9C“xLd(E” (IPC) D,Sr_SVx }]b73PD db2nodes.cfg PDdP;vZcxPD,S)9G6L,S(( }xgr-7xPD,S)#b9 API \;v(,;zwODM'zGq^ha )\kMIT,SA DB2 ~qw#IZfZyZYw53D1!“C'j6/\k ”e~,rKJmS,;zwODM'zPxP>X,Sx^ha)\k(Y( C'_P,SX()# v R_DZ};8> DB2 }]b\mwGS~qwK9GM'KwCK API# ;5GZ db2secPlugin.h P(eD: v DB2SEC_USERID_FROM_OS (0x00000001) 8>C'j6GSYw53Pq!D,x ;GZ CONNECT odOT=x(D# v DB2SEC_CONNECTION_ISLOCAL (0x00000002) 8>>X,S# v DB2SEC_VALIDATING_ON_SERVER_SIDE (0x0000004) 8> DB2 }]b\mwGS ~qwK9GM'KwCK API Ti$\k#g{hCKK;5,G4 DB2 } ]b\mw+S~qwKxPwC;qr,|+SM'KxPwC# TZ~=O$,DB2 }]b53D1!P*GJmZ,S1;xPNN\ki$# + G , e ~ * " _ I T ; J m x P ~ = O $ , b V i v B + 5 X DB2SEC_PLUGIN_BADPASSWORD ms# token dk#8rzcTBu~D}]D8k:Z10,SZd,IT+K}]w*N} +]xsx API wC#ITwCD API |( db2secGetAuthIDs API M db2secGetGroupsForUser API# errormsg dv#8rIe~VdD ASCII ms{"V{.X7D8k,g{4P db2secValidatePassword API ;I&,Ma5XKms{"# errormsglen dv#8r;vCZ8> errormsg N}PDms{"V{.$H(TVZF)D {}D8k# GSS-API O$e~DXh API M(e BmG DB2 2+e~SZXhD GSS-API Dj{Pm# Z 9 B 2+e~ API 251 \'VD API q-BPf6:`t2+T~q&CLr`LSZf> 2(IETF RFC2743)M`t2+T~q API f> 2:C s((IETF RFC2744)#Z5VyZ GSS-API De~.0,&9WKbb)f6# m 39. GSS-API O$e~XhD API M(e API `M API {F hv M'K API gss_init_sec_context 9C,6&CLr4t/2+OBD# ~qwK API gss_accept_sec_context S\I,6&CLrt/D2+OBD# ~qwK API gss_display_name +Z?q={F*;*D># +2 API gss_delete_sec_context >}Q("D2+OBD# +2 API gss_display_status q!k GSS-API 4,k`X*DD>ms{"# +2 API gss_release_buffer >}:ex# +2 API gss_release_cred MEk GSS-API >$`X*D>X}]a9# +2 API gss_release_name >}Z?q={F# XhD(e GSS_C_DELEG_FLAG ksZ(# XhD(e GSS_C_EMPTY_BUFFER m> gss_buffer_desc ;|,NN}]# XhD(e GSS_C_GSS_CODE 8> GSS w*4,k# XhD(e GSS_C_INDEFINITE 8>zF;'VOBD=Z# XhD(e GSS_C_MECH_CODE 8> GSS N*4,k# XhD(e GSS_C_MUTUAL_FLAG ksK`%O$# XhD(e GSS_C_NO_BUFFER m> gss_buffer_t d?";8rP'D gss_buffer_desc a9# XhD(e GSS_C_NO_CHANNEL_BINDINGS ;P(EE@s(# XhD(e GSS_C_NO_CONTEXT m> gss_ctx_id_t d?";8rP'DOBD# XhD(e GSS_C_NO_CREDENTIAL m> gss_cred_id_t d?";8rP'D>$dz# XhD(e GSS_C_NO_NAME m> gss_name_t d?";8rP'DZ?{F# XhD(e GSS_C_NO_OID 9C1!O$zF# XhD(e GSS_C_NULL_OID_SET 9C1!zF# XhD(e GSS_S_COMPLETE QI&jI API# XhD(e GSS_S_CONTINUE_NEEDED 4jI&m,Xk9CS,6SU=D&pnF4YNwC API# GSS-API O$e~D^F TBPm5w GSS-API O$e~D^F# v %TcZ(,+G;9CC>%4zIBD>%# v vksK1!OBD1d# v 4+ gss_delete_sec_context() PDOBDjGSM'z"MA~qw,4.`;# v ;'Vd{# v ;'V(@s(# v g{u<>$=Z,G4 DB2 }]b\mw;aT/T|GxP"B# 252 }]b2+T8O v GSS-API f6f(,49 gss_init_sec_context() r gss_accept_sec_context() '\,N;/}2Xk5X;vjGT"MA,6#+G,IZfZ DRDA V^T, rK,v1 gss_init_sec_context() '\"RZWNwCzIjG1,DB2 }]b \mwEa"MjG# Z 9 B 2+e~ API 253 254 }]b2+T8O Z 10 B (E:exvZb DB2 for Linux, UNIX, and Windows }]b\mw9M'M)&L\;4i(E:e x#Z"MMSU(E:ex.0,b?DIE2mbC4CJ(E:ex(ZM' zk}]b~qw.d+](E:ex)#b)b?bF*(E:exvZb# hz(E:exvZb,zITli(E:ex,Tcy]:exDZ]4a)bv =8,}g,sFbv=8r_d{2+Tbv=8#(} DB2 for Linux, UNIX, and Windows \;CJSM'zSU=D?v:exT0*"MAM'zD?v:ex#a ):ex.sE9C DATA_ENCRYPT O$r_ SSL TdxPS\#DB2 for Linux, UNIX, and Windows 9C DRDA -iZM'zk~qw.dxP(E#4U DRDA -iT+]=(E:exvZbD(E:exxPq=/#(E:exvZbXkK bCZ(ED DRDA -i# ^[9CDV(E-i,DB2 for Linux, UNIX, and Windows %#;G;P(}i4(E:exE\q!K j8E"# }]b\mw+7#v0kIEb#Xk+b)b20Z;\I5}yP_^DDX ( ; C # x R , ; P _ 8 SYSADM ( ^ D C ' E \ t C K b # t C S \ (DATA_ENCRYPT r SSL)2h*_8K(^6p# g{ya)DNN:exP|,bO*P&D}],G4(E:exvZbITU9 ,S#b)}]H|("MA~qwD}],V|(5XxM'zD}]#}g,( E:exvZbI\alb=S SELECT od5XD}];JOZM'zSU#4Tb D5Xkr}]b\mw8vXkU9,S#}]b\mw+#9M'zDC(E: exr_NNd{(E:ex,"RaU9,S# ":Z}=)&L(#aa)b)(E:exvZb#DB2 for Linux, UNIX, and Win- dows Z sqllib/samples/security/commexit ?#zIT!q9C b)y>w*8O4*"zT:Db# (E:exvZb?p Xk4&m(E:exvZb?pYw#g{z!q?pT:Db,G4IT4U K&EvD?p=h4?p# © Copyright IBM Corp. 2013 255 (E:exvZb;C (E:exvZbXkfZZX(?} TB>}T>yP=(OD{* mycommexit DbOD(E:exvZb)9{: v AIX 64 ; mycommexit.a r mycommexit.so v Solaris 64 ;"Linux 32 ;r 64 ;"IPF OD HP 64 ;:mycommexit.so v Windows 32 ;:mycommexit.dll v Windows 64 ;:mycommexit64.dll ":vZ Windows 64 ;Db{OXkxPD~{s:“64”# 256 }]b2+T8O 19C(E:exvZb{F4|B}]b\mwdC1,9CbD+{+;xs :“64”#|B}]b\mwdC1,;C8(CD~)9{Mj<76# TB>}T>K|B Windows 64 ;53OD}]b\mwdC,+ mycommexit64.dll bhC*(E:exvZbD}L# UPDATE DBM CFG USING COMM_EXIT_LIST mycommexit ":COMM_EXIT_LIST {FGxVs!4D,"RXkkb{+7%d# Z DB2 pureScale 73b?tC(E:exvZb (#IZ}=a)D20E>44PKNqPyEvD=h#Evb)=hTozz tCz*"D(E:exvZb# *<.0 zXk_8 SYSADM (^E\4PKNqPD=h# ^F (E:exvZbD~Xkq-OqDD~mI(44PKNqPyEvD=h#Evb)=hTozz tCz*"D(E:exvZb# XZKNq (}T;Pf>EDb{CD~{P|,f>ED(E:exvZbT0kKD~( "D{E4S,ITpvI1?pKb#ZbVivB,;X#9{v5},;h# 9wvI1# ^F Z 10 B (E:exvZb 257 (E:exvZbD~Xkq-OqDD~mI(ED(E:exvZb4F=}7D?Db=D~{P|,f>DbD{E4S# 3. +}]b\mwdCN} comm_exit_list |B*bD{F# *|BKdCN}, k9C UPDATE DBM CFG |n# 4. pv#9?vI1# *#9?vI1,kT?vI1KP db2stop |n# 5. XBt/Q#9DI1# *t/Q#9DI1,kKP db2start |n# a{ Q0kKb"RQ+duD~#g{TCbGq}#$w fZIJ,G4ITli db2diag U>D~# g{X"(E:exvZbDT\,G4I9C`SH}1d4wiCby(D1 d#PXb)`S$_D|`E",kND`XN<# *"(E:exvZb Xk# v 8r3va9D8k,Ca9P|,8ryPh*5VD API D8k# v 8rCZ+U>{"mSA db2diag U>D~D/}D8k# v 8rms{"V{.D8k# v ms{"D$H# uE# g{KbGIC C++ oTxP`kD,G4Xk+ db2commexitInit /}yw* extern "C"# (E:exvZb API Z(E:exvZbP5VD API# db2commexitInit API - u0kCbD5}'VD API Dn_f>#db2commexit.h PD5 DB2COMMEXIT_API_VERSION |,}]b\mw10'VD API DnBf>E# commexit_fns dv#KN}m>8r db2commexitFunctions_ a9D8k,Ka 9P|,8r*(E:exvZb5VD API D8k#I\_P;,f>D API, rKa+ commexit_fns N}?F`M*;*kKby5VDf>`T&D db2commexitFunctions_ a 9 # db2commexitFunctions_ a9DZ;vN}8>e~Q5VD API Df># logMessage_fn dk#KN}m>8rI DB2 }]b535VD db2commexitLogMessage API D 8k#db2commexitInit API ITwC db2commexitLogMessage API T+{"G< = db2diag U>D~P,TcxPwTr_)zN<#db2commexitLogMessage API DZ;vN}8(GD~PDoOmsD`M,ns=vN}m >{"V{.0d$H#db2commexitLogMessage API DZ;vN}DP'5*(b )P'5GZ db2commexit.h P(eD): v DB2COMMEXIT_LOG_NONE:(0) ;G< v DB2COMMEXIT_LOG_CRITICAL:(1) ~qw"zms v DB2COMMEXIT_LOG_ERROR:(2) "zms v DB2COMMEXIT_LOG_WARNING:(3) /f v DB2COMMEXIT_LOG_INFO:(4) N< v1 db2commexitLogMessage API D“level”N}D5!ZrHZ diaglevel }] b\mwdCN}D51,Ea+{"D>GD~P#}g,g {z9C5 DB2SEC_LOG_INFO,G4v1 diaglevel }]b\mwdCN}hC* 4 1EaG<{"D># errormsg dv#KN}m>8rIe~VdD ASCII ms{"V{.X7D8k,g{4P K/};I&,Ma5XKms{"#wC db2commexitFreeErrorm–sg ^(MEK Zf# errormsglen dv#KN}m>8r;vCZ8> errormsg N}PDms{"V{.$H(T VZF)D{}D8k# db2commexitTerm API - U9 K/}CZME(E:exvZby9CDJ4# }]b\mw+Z db2stop &m}LPOX(E:exvZb.0wCK API#XkT by;V==45VC API:|+}7e}Cb5PDNNJ4#}g,C API Xk MECbVdDNNZf,XUT&Zr*4,DD~"XUxg,S#Cb:pz Yb)J4TcMEb)J4# IZvwCK/};N,rK;h*#$K/}_L2+# 260 }]b2+T8O API 7D~ db2commexit.h API M}]a9o( SQL_API_RC ( SQL_API_FN * db2commexitTerm ) ( char **errormsg, db2int32 *errormsglen ); db2commexitTerm API N} errormsg dv#KN}m>8rI(E:exvZbVdD ASCII ms{"V{.X7D8 k # g { 4 P K / } ; I & , G 4 I \ 5 X Kms {"V { . # w C db2commexitFreeErrorm–sg ^(MEKZf# errormsglen dv#KN}m>8r;vCZ8> errormsg N}PDms{"V{.$H(T VZF)D{}D8k# db2commexitRegister API - "a K/}r,S"azm# ?1zmS\WSV"*8rX(Z(E:exvZbD}]D8k#K8kX( Zk>,S#KN}+w*dv+]x*C,SD?N/}wCDdk#CbIT V d M f"X ( Z , S D E " " 9 d Z ? N / } w C P I C # Z w C db2commexitDeregister 1XkMECN}DZf#}]b\mw^(CJIKN} 8rDZf# Z 10 B (E:exvZb 261 pCommInfo dk#KN}m>8ra9D8k,Ca9|,CZj6}]b~qwDE"Mk >,SD-iX(E"#Ca9PD3)VN4hC,1=kM'z;;`v:e x*9#ZT db2commexitRecv M db2commexitSend DwCPI9Cb)VN# K=8X(JCZ inbound_appl_id"outbound_appl_id M connection_type#; )*@b)5.s,connection_type N}+8>,SG>X}]b,S9GxX ,S# 4, dk#8>Z24u~B+wCC/}#I\D5|(: v NEW_CONNECTION - 8>BDomk>M'z,S# v AGENT_ASSOCIATION - 8>XBI*n/,S"Rk&mksDzm`X*DV PUPM'z,S# pReservedFlags dk/dv##tT8+49C#TZdv,Xk+C5h* 0# errormsg dv#KN}m>8rI(E:exvZbVdD ASCII ms{"V{.X7D8 k # g { 4 P K / } ; I & , G 4 I \ 5 X Kms {"V { . # w C db2commexitFreeErrorm–sg ^(MEKZf# errormsglen dv#KN}m>8r;vCZ8> errormsg N}PDms{"V{.$H(T VZF)D{}D8k# db2commexitDeregister API - !{"a K/}CZ+zmSX*D,SPMEv4# ?1zm#9&m,SODks1,}]b\mwMawCK/}#1kM'zDo m,SU9,rM'z&ZUP4,Rzmkd!{X*1,a"zKiv# API 7D~ db2commexit.h API M}]a9o( SQL_API_RC ( SQL_API_FN * db2commexitDeregister ) ( void * pConnectionContext, const db2commexitCommInfo_v1 * pCommInfo, db2int32 state, db2int64 * pReservedFlags, char ** errormsg, db2int32 * errormsglen ); db2commexitDeregister API N} pConnectionContext dk#KN}m>8rX(Z(E:exvZD}]D8k#K8kX(Zk>, S#KN}+w*dv+]x*C,SD?N/}wCDdk#}]b\mw^( CJIKN}8rDZf#Xk9CK/}!{VdKZf# 262 }]b2+T8O pCommInfo dk#KN}m>8ra9D8k,Ca9|,CZj6}]b~qwDE"Mk >,SD-iX(E"# 4, dk#8>Z24u~B+wCC/}#I\D5|(: v CONNECTION_TERM - 8>QU9kM'zDom,S# v AGENT_DISASSOCIATION - 8>M'z&ZUP4,RzmQkd!{X*# pReservedFlags dk/dv##tT8+49C#TZdv,Xk+C5h* 0# errormsg dv#KN}m>8rI(E:exvZbVdD ASCII ms{"V{.X7D8 k # g { 4 P K / } ; I & , G 4 I \ 5 X Kms {"V { . # w C db2commexitFreeErrorm–sg ^(MEKZf# errormsglen dv#KN}m>8r;vCZ8> errormsg N}PDms{"V{.$H(T VZF)D{}D8k# db2commexitRecv API - SU +T}]b\mwSM'zSUD?v:exwCK/}# ZSM'zSU(E:ex.s,}]b\mw+"4wCK/}#ZT:exb\ .s+wCC/},Tc(E:exvZbITCJ4S\D:ex# API 7D~ db2commexit.h API M}]a9o( SQL_API_RC ( SQL_API_FN * db2commexitRecv ) ( void * pConnectionContext, const db2commexitCommInfo_v1 * pCommInfo, const db2commexitBuffer * pBuffer, db2int64 * pReservedFlags, char ** errormsg, db2int32 * errormsglen ); db2commexitRecv API N} pConnectionContext dk#KN}m>8rX(Z(E:exvZD}]D8k#K8kX(Zk>, S#KN}+w*dk+]xC,SD?N/}wC#}]b\mw^(CJIK N}8rDZf#Xk9CK/}!{VdKZf# pCommInfo dk#KN}m>8ra9D8k,Ca9|,CZj6}]b~qwDE"Mk >,SD-iX(E"#Ca9PD3)VN4hC,1=kM'z;;`v:e x*9#ZT db2commexitRecv M db2commexitSend DwCPI9Cb)VN# K=8X(JCZ inbound_appl_id"outbound_appl_id M connection_type# Z 10 B (E:exvZb 263 pBuffer dk#KN}m>8ra9D8k,Ca9|,}]b\mwSUD:exD$H T08rC:exD8k#g{C:exQS\,G4ZwCK/}0aTdb \# pReservedFlags dk/dv#hC; DB2COMMEXIT_RECV_IN_FLAG_END_DECRYPT T8>bG*QS\ D DSS TK/}Dns;NwC#w*dk+]D DSS D$H8>QS\ DSS D$H#+G,fsaT DSS b\"}%ndUq#r*D$H#Z pBuffer a9P8>D$HG DSS DnU} ]#g{mSKj{is!DndUq,G4C$HI\*c# TZdv,+#tKVNT)+49C#TZdv,Xk+C5h* 0# errormsg dv#KN}m>8rI(E:exvZbVdD ASCII ms{"V{.X7D8 k # g { 4 P K / } ; I & , G 4 I \ 5 X Kms {"V { . # w C db2commexitFreeErrorm–sg ^(MEKZf# errormsglen dv#KN}m>8r;vCZ8> errormsg N}PDms{"V{.$H(T VZF)D{}D8k# db2commexitSend API - "M +T}]b\mw"MxM'zD?v:exwCK/}# Z+(E:ex"MxM'z.0,}]b\mw+wCK/}#ZT:exS\. 0+wCC/},Tc(E:exvZbITCJ4S\D:ex# API 7D~ db2commexit.h API M}]a9o( SQL_API_RC ( SQL_API_FN * db2commexitSend ) ( void * pConnectionContext, const db2commexitCommInfo_v1 * pCommInfo, const db2commexitBuffer * pBuffer, db2int64 * pReservedFlags, char ** errormsg, db2int32 * errormsglen ); db2commexitSend API N} pConnectionContext dk#KN}m>8rX(Z(E:exvZD}]D8k#K8kX(Zk>, S#KN}+w*dv+]x*C,SD?N/}wCDdk#}]b\mw^( CJIKN}8rDZf# pCommInfo dk#KN}m>8ra9D8k,Ca9|,CZj6}]b~qwDE"Mk >,SD-iX(E"#Ca9PD3)VN4hC,1=kM'z;;`v:e 264 }]b2+T8O x*9#ZT db2commexitRecv M db2commexitSend DwCPI9Cb)VN# K=8X(JCZ inbound_appl_id"outbound_appl_id M connection_type# pBuffer dk#KN}m>8ra9D8k,Ca9|,"MxM'zD:exD$HT0 8rC:exD8k#g{C:exQS\,G4ZwCK/}0aTdb\# pReservedFlags dk/dv#g{}]b\mwv=msRXke}<8"MxM'zD3):e x,G4ahC; DB2COMMEXIT_SEND_IN_FLAG_PURGE#b):exPD3)Qw* dk+]x(E:exvZb# TZdv,+#tKVNT)+49C#TZdv,Xk+C5h* 0# errormsg dv#KN}m>8rI(E:exvZbVdD ASCII ms{"V{.X7D8 k # g { 4 P K / } ; I & , G 4 I \ 5 X Kms {"V { . # w C db2commexitFreeErrorm–sg ^(MEKZf# errormsglen dv#KN}m>8r;vCZ8> errormsg N}PDms{"V{.$H(T VZF)D{}D8k# db2commexitUserIdentity API - C'm] (}wCK/}Ia)10WSVDC'm]# awCK/}T(*(E:exvZb,Cd*@C4(",SDC'{Ma0Z( j6#g{r*IEOBDP;C'r SET SESSION AUTHORIZATION x8rX(Z(E:exvZD}]D8k#K8kX(Zk>, S#KN}+w*dv+]x*C,SD?N/}wCDdk#}]b\mw+^ (CJIKN}8rDZf# Z 10 B (E:exvZb 265 pCommInfo dk#KN}m>8ra9D8k,Ca9|,CZj6}]b~qwDE"Mk >,SD-iX(E"#Ca9PD3)VN4hC,1=kM'z;;`v:e x*9#ZT db2commexitRecv M db2commexitSend DwCPI9Cb)VN# K=8X(JCZ inbound_appl_id"outbound_appl_id M connection_type# 4, dk#8>Z24u~B+wCC/}#I\D5|(: v DB2COMMEXIT_USERIDENT_NEW_CONNECTION - B,S# v DB2COMMEXIT_USERIDENT_TC_SWITCH_USER - "vKIEOBDP;C'ks# v DB2COMMEXIT_USERIDENT_SET_SESSION_USER - "vK SET SESSION AUTHO- RIZATION SQL odT|Da0Z(j6# usernameLen dk#pUsername D$H# pUsername dk#C4(",SDC'{# sessionAuthidLen dk#pSessionAuthid D$H# pSessionAuthid dk#*K,S("Da0Z(j6# pReservedFlags dk/dv##tT8+49C#TZdv,Xk+C5h* 0# errormsg dv#KN}m>8rI(E:exvZbVdD ASCII ms{"V{.X7D8 k # g { 4 P K / } ; I & , G 4 I \ 5 X Kms {"V { . # w C db2commexitFreeErrorm–sg ^(MEKZf# errormsglen dv#KN}m>8r;vCZ8> errormsg N}PDms{"V{.$H(T VZF)D{}D8k# db2commexitFreeErrormsg API - MEms{"Zf K/}MEC4fEONwC API yzzDms{"DZf# API 7D~ db2commexit.h API M}]a9o( SQL_API_RC ( SQL_API_FN * db2commexitFreeErrormsg ) ( char * errormsg ); db2commexitFreeErrormsg API N} errormsg dk#8rONwC API 15XDms{"D8k# 266 }]b2+T8O (E:exvZb/}a9 db2commexitInit /}IC void * commexit_fns N}#KN}a?F`M*;*X( Zf>Da9,Ka9P|,I(E:exvZb5VDyP/}#db2commexitInit / }Xk8(/}8k,Tc}]b\mwITwCb)/}# XkjIDa9(dP|(?v API D/}8k)gB# struct db2commexitFunctions_v1 { db2int32 version; SQL_API_RC ( SQL_API_FN * db2commexitTerm ) ( char **errormsg, db2int32 *errormsglen ); SQL_API_RC ( SQL_API_FN * db2commexitRegister ) ( void ** ppConnectionContext, const db2commexitCommInfo_v1 * pCommInfo, db2int32 state, db2int64 * pReservedFlags, char ** errormsg, db2int32 * errormsglen ); SQL_API_RC ( SQL_API_FN * db2commexitDeregister ) ( void * pConnectionContext, const db2commexitCommInfo_v1 * pCommInfo, db2int32 state, db2int64 * pReservedFlags, char ** errormsg, db2int32 * errormsglen ); SQL_API_RC ( SQL_API_FN * db2commexitRecv ) ( void * pConnectionContext, const db2commexitCommInfo_v1 * pCommInfo, const db2commexitBuffer * pBuffer, db2int64 * pReservedFlags, char ** errormsg, db2int32 * errormsglen ); SQL_API_RC ( SQL_API_FN * db2commexitSend ) ( void * pConnectionContext, const db2commexitCommInfo_v1 * pCommInfo, const db2commexitBuffer * pBuffer, db2int64 * pReservedFlags, char ** errormsg, db2int32 * errormsglen ); SQL_API_RC ( SQL_API_FN * db2commexitUserIdentity ) ( void * pConnectionContext, const db2commexitCommInfo_v1 * pCommInfo, db2int32 state, db2int32 usernameLen, const char * pUserame, db2int32 sessionAuthidLen, Z 10 B (E:exvZb 267 const char * pSessionAuthid, db2int64 * pReservedFlags, char ** errormsg, db2int32 * errormsglen ); SQL_API_RC ( SQL_API_FN * db2commexitFreeErrormsg ) ( char * errormsg ); }; (E:exvZbE"a9 E"a98>10om,SD(E-iE"# TBG+]x?v(E:exvZb/}D db2commexitCommInfo_v1 a9#Ka9| (Z db2commexit.h D~P# struct db2commexitIPV4Info { sockaddr_in client_sockaddr; sockaddr_in server_sockaddr; }; struct db2commexitIPV6Info { sockaddr_in6 client_sockaddr; sockaddr_in6 server_sockaddr; }; struct db2commexitIPCInfo { void * pSharedMemSegmentHandle; }; struct db2commexitNamedPipeInfo { void * handle; }; struct db2commexitCommInfo_v1 { db2int32 clientProtocol; // SQL_PROTOCOL_ ... db2int32 connectionType; // unknown, local or gateway db2int32 hostnameLen; db2int32 instanceLen; db2int32 dbnameLen; db2int32 dbaliasLen; db2int32 inbound_appl_id_len; db2int32 outbound_appl_id_len; db2int32 reserved1; db2int32 reserved2; db2NodeType member; char hostname[SQL_HOSTNAME_SZ+1]; char instance[DB2COMMEXIT_INSTANCE_SZ + 1]; char dbname[DB2COMMEXIT_DBNAME_SZ + 1]; char dbalias[DB2COMMEXIT_DBNAME_SZ + 1]; char inbound_appl_id[SQLM_APPLID_SZ + 1]; char outbound_appl_id[SQLM_APPLID_SZ + 1]; 268 }]b2+T8O char reservedChar1[128]; union { db2commexitIPV4Info ipv4Info; db2commexitIPV6Info ipv6Info; db2commexitIPCInfo ipcInfo; db2commexitNamedPipeInfo namedPipeInfo; } }; (E:exvZb:exa9 :exa9Gw* db2commexitSend M db2commexitRecv /}Ddk4+]D;Va 9# :exa9gB: struct db2commexitBuffer { const unsigned char * pBuffer; db2int64 buffer_len; db2int32 reserved1; db2int32 reserved2; }; (E:exvZbXF,S (E:exvZbf1 DB2 }]b53'VT(E:exvZb API f>xP`E#b)f>EGS 1 *< D{}# }]b\mw+]x2+buEG\'VD API Dn_f>E#g{C bIT'V|_D API f>,G4|Xk5X}]b\mwksDf>D/}8k#g {Cbv'V|Mf>D API,G4CbXk(e|'VDf>D/}8k#ZNN; VivB,buVNP5XK API 'VDf>E# (E:exvZb API f>vZX*1Ea|D#}g,|DKC API DN}1#f >E;afE}]b\mwD"PfET/|D# f>EJm}kBDr|DD API#+a#tTIf>Db'V# Z 10 B (E:exvZb 269 (E:exvZbms&mM5Xk 1(E:exvZb API "zms1,K API ITZ errormsg VNP5X;v ASCII D>V{.#C ASCII D>V{.\TJba)H5Xk|_eDhv#}]b\mw a+{vCV{.4A db2diag U>D~# (E:exvZbXkVdCZfEb)ms{"DZf#rK,CvZb9Xka )TB API 4MEKZf:db2commexitFreeErrormsg# }K errormsg VNTb,ZuD ~P#}g: // Log an message indicate init successful (*(logMessage_fn))(DB2COMMEXIT_LOG_CRITICAL, "comm exit initialization successful", strlen("comm. exit initialization successful")); PX db2secLogMessage /}D?vN}D|`j8E",kND`XNmD RPATH P8(D# {Ee; &!I\9C\5M"z{Ee;DI\TDNNIC!n(}g,IuYb}s (b?{E}CDG)!n)4`kM4S(E:exvZb#}g,Z HP"Solaris M Linux O9C ″-Bsymbolic″ 4SLr!nPzZ@9"zk{Ee ;`XDJb#+G,TZZ AIX O`4Db,;*T=r~=9C“-brtl”4SL r!n# 32 ;k 64 ;"bBn }]b\mwP 32 ;M 64 ;f>,!vZ=(#TZ 32 ;}]b\mw,X ktC 32 ;(E:exvZb,xTZ 64 ;}]b\mw,XktC 64 ;( E:exvZb#;\lC=Vb# f"}L"%"wMd{Z? SQL k~qw;%Df"}L;+]A(E:exvZb#m`;%"G(}j<(E E@xP,"R2;JOCZvZbD#M#`FX,%"wMZ? SQL Dd{4 ;(}j<(EE@+],2;a+]A(E:exvZb# ;CY](E:ex (E:exvZb;&Y]r|Dd+]D:ex# v/|B'V DB2 for Linux, UNIX, and Windows 'V|B DB2 pureScale 73 PDvpI 1D^)|6p+;#9d{I1#bF*v/|B#`FX,}g(E:exv ZbD?p;ZPEv,IT|BvpI1O9CDb6p#I\fZby;Vi v,=v;,f>D(E:exvZbZ=v;,I1O,1KP,?vI1&Z ;,D^)|6p#(E:exvZbXk]LK`ivx;"zms# (E:exvZb API wC3r API wC3rI\afX(=8xPy;,# BPwbEvKzZ*"(E:exvZb1Xk*@DX(=8#b)wbITo zz7(nJOZzyZ73DwC3r# Z 10 B (E:exvZb 271 API wC3r - %vzmLrPD}#,S ndMDivGM'z,SA}]b\mw,"v;) SQL,;sO*,S# ZbVivB,%vzmLrr_L+&m,S,"RxPBPwC: 1. TZBDWSV,S,wC db2commexitRegister# 2. PI\`NwC db2commexitRecv M db2commexitSend T&mO$# 3. TZB,S,wC db2commexitUserIdentity 4. PI\`NwC db2commexitRecv M db2commexitSend T&mM'z SQL ks# 5. wC db2commexitDeregister TU9WSV,S# API wC3r - ;fZ,SXCD,S K=85wK(}VPWSV("D,S#M'z;XH"v,SXC4It/m; v SQL ,S# ;)}]b\mwSM'zSU= SQL CONNECT od,|Ma~=4PZ?,SX C,;sYLxxP,S#;a|DWSVD4,,b)G#fksM&p#ZbV ivB,%vzmLr+&myPks#(} db2commexitRecv 9|,4TM'zD, SksD:exIC1,(E:exvZb\;7(bvK:ex1t/DB,S# xPKBPwC: 1. TZBDWSV,S,wC db2commexitRegister# 2. PI\`NwC db2commexitRecv M db2commexitSend T&mO$# 3. TZB,S,wC db2commexitUserIdentity 4. PI\`NwC db2commexitRecv M db2commexitSend T&mM'z SQL ks# 5. PI\`NwC db2commexitRecv M db2commexitSend T&mO$# 6. TZB,S,wC db2commexitUserIdentity# 7. PI\`NwC db2commexitRecv M db2commexitSend T&mM'z SQL ks# 8. wC db2commexitDeregister TU9WSV,S# ": 49}]b\mwQ&m=v SQL ,S,2vVpwC db2commexitRegister M db2commexitDeregister ;N# API wC3r - IEOBDMP;C' K=8`FZ;fZ,SXCD,S#|G.dDxpZZM'z+ksIEOBD P;C',x;"MBD SQL ,Sks# xPKBPwC: 1. TZBDWSV,S,wC db2commexitRegister# 2. PI\`NwC db2commexitRecv M db2commexitSend T&mO$# 3. TZB,S,wC db2commexitUserIdentity 4. PI\`NwC db2commexitRecv M db2commexitSend T&mM'z SQL ks# 5. PI\`NwC db2commexitRecv M db2commexitSend T&mO$# Z+43v1d,M'z+r~qw"MIEOBDP;C'ks,TT,SP; C'# 272 }]b2+T8O 6. TZIEOBDP;C',wC db2commexitUserIdentity# 7. PI\`NwC db2commexitRecv M db2commexitSend T&mM'z SQL ks# 8. wC db2commexitDeregister TU9WSV,S# API wC3r - ,S/Pw K=85wK9C,S/Pw1D API wC3r#,S/Pw&\?~Jm}]b\m w&mDM'z},}-wzmLr}r_L}# ;)M'zo=$w%*_g,+G;"4"Mm;vks,Ma+M'zWSVE kUPXP#H0&mM'zksDzmLr+&mm;vM'z#;)UPWSV _P*A!D}]1,VIwMaiRUPzmLrT&mK}]#Z SQL ,SDz fZZ,I\P`vCZ&mM'zksDzmLr#?1+WSVFkMFvUP X1,MawC db2commexitDeregister M db2commexitRegister#xPKBPwC: 1. TZBDWSV,S,wC db2commexitRegister# 2. PI\`NwC db2commexitRecv M db2commexitSend T&mO$# 3. TZB,S,wC db2commexitUserIdentity 4. PI\`NwC db2commexitRecv M db2commexitSend T&mM'z SQL ks# M'z;a"4"Mm;vks,"Ra+WSVEkUPXP# 5. wC db2commexitDeregister Tb}kzmLrDX*# Z+43v1d,M'zaZVIw!qUPzmLr1"Mm;vks,K1d +I\kH0y9CD1d;,: 6. wC db2commexitRegister TkzmLr`X*# 7. PI\`NwC db2commexitRecv M db2commexitSend T&mM'z SQL ks# 8. wC db2commexitDeregister TU9WSV,S# " : T Z % v SQL , S , a ` N w C db2commexitRegister M db2commexitDeregister# API wC3r - SET SESSION AUTHORIZATION od K=85wK9C SET SESSION AUTHORIZATION od1D API wC3r# SET SESSION AUTHORIZATION oda|D}CZ10,SDa0Z(j6#awC Db2commexitUserIdentity T(*(E:exvZb,Cd*@Q|D10,SDm]E "#xPKBPwC: 1. TZBDWSV,S,wC db2commexitRegister# 2. PI\`NwC db2commexitRecv M db2commexitSend T&mO$# 3. TZB,S,wC db2commexitUserIdentity# 4. PI\`NwC db2commexitRecv M db2commexitSend T&mM'z SQL ks# C ' " v SET SESSION AUTHORIZATION o d # K ksa + ] A db2commexitRecv#|kd{ SQL od;Pxp# 5. TZ SET SESSION AUTHORIZATION,wC db2commexitUserIdentity# 6. PI\`NwC db2commexitRecv M db2commexitSend T&mM'z SQL ks# 7. wC db2commexitDeregister TU9WSV,S# Z 10 B (E:exvZb 273 PXhC?j_-ZcD"bBn 9C DB2NODE d?r_9C SET CLIENT |nhC?j_-Zc1Xk&CLrj6k6LI1PDk>&CLrj6`,# ;)Q-("Kb)&CLrj6,Ma+ db2commexitCommInfo_v1 a9PD connectionType hC* GATEWAY# PX,SxXD"bBn 1}]b\mwd1m;v DRDA }]b~qwD,SxX1,XkD$H#n`I* DSS nd 8 vVZ# n s ; N w C db2CommexitRecv 1 , a + DB2COMMEXIT_RECV_IN_FLAG_END_DECRYPT j>w*dk4+]T8>QS\D DSS D)2# ":ZbVivB,$HI\* 0,m>QmSnd?VD{vis!# "MM DATA_ENCRYPT TM'zD DSS &pxPS\1,:exPI\|,`v?D> DSS MQS\D DSS,b) DSS a"MAM'z#1b) DSS <8C1,a+|Gw*dk+]x 274 }]b2+T8O db2commexitSend– }L#IZZS\.0Xk+?D>}]Cwdk,rK+4U;N jI;v+]D==4jIb)+]#}]b\mwI\av=msiv,bVms iv*s}]b\mwe}H0Q<8C"+G4"MD DSS#(E:exvZbI\ QKbb)b#Z$H* 0 R DB2COMMEXIT_SEND_IN_FLAG_PURGE j>8>QxPe} DivBwC db2CommexitSend /}# Z 10 B (E:exvZb 275 276 }]b2+T8O Z 11 B sFh)G<Pi!sFG<1,?vG<+_PBPwmPT>DdP;Vq=#? vm0fG<# CGZX*DmP,;NT>;P#mP?nDT>3rki !YwswnZ(gD~PDdv3r`,# ": 1. y]sFB~x(,"GsFGCVN# 2. 3)VN(g“"TDCJ”)T(gD ASCII q=f"*;<#+G,ZK=f( fD~P,b)VN+T>*;iV{.,m>;<5# sFGKTZ?VsFGK AUDIT B~DsFG<sFG<: 278 }]b2+T8O timestamp=2007-04-10-08.29.52.000001; category=AUDIT; audit event=START; event correlator=0; event status=0; userid=newton; authid=NEWTON; application id=*LOCAL_APPLICATION; application name=db2audit.exe; m 42. AUDIT B~DsFG<,dP I&DB~ >=0 '\DB~ <0 C'j6 VARCHAR(1024) sFB~"z1DC'j6# Z(j6 VARCHAR(128) sFB~"z1DZ(j6# - VARCHAR(64) sFB~"z1}Z9CDLr|Df># >XBqj6 VARCHAR(10) FOR BIT DATA sFB~"z1}Z9CD>XBqj6#bGw*BqU>;?V D SQLU_TID a9# +VBqj6 VARCHAR(30) FOR BIT DATA sFB~"z1}Z9CD+VBqj6#bGw*BqU>;?V D SQLP_GXID a9PD}]VN# M'zC'j6 VARCHAR(255) sFB~"z1 CURRENT CLIENT USERID (CDfwD5# M'z$w>{F VARCHAR(255) sFB~"z1 CURRENT CLIENT_WRKSTNNAME (CDfwD 5# M'z&CLr{F VARCHAR(255) sFB~"z1 CURRENT CLIENT_APPLNAME (CDfwD5# M'zGJV{. VARCHAR(255) sFB~"z1 CURRENT CLIENT_ACCTNG (CDfwD5# IEOBD{F VARCHAR(128) kIE,SX*DIEOBDD{F# Z 11 B sFh)G<D76# i576 VARCHAR(1024) db2audit configure |nP8(DQi5sFU>D76 CHECKING B~DsFG<K CHECKING B~DsFGsFG<: timestamp=1998-06-24-08.42.11.622984; category=CHECKING; audit event=CHECKING_OBJECT; event correlator=2; event status=0; database=FOO; userid=boss; authid=BOSS; application id=*LOCAL.newton.980624124210; application name=testapp; Z 11 B sFh)G<,dP I&DB~ >=0 '\DB~ <0 }]b{F CHAR(8) *dzIKB~D}]bD{F#g{|G5}6psFB~,G4 *UW# C'j6 VARCHAR(1024) sFB~"z1DC'j6# Z(j6 VARCHAR(128) sFB~"z1DZ(j6# -Zjb*:s FG*KsFB~zZjb* :I\D CHECKING CJz<-rDPm;DwbPDG)5# "TDCJ CHAR(34) 8("TDCJ`M#I\D5|(:T>Zjb*:I\D CHECKING CJ"T`MDPm;DwbPDG)5# Lr|f> VARCHAR (64) sFB~"z1}Z9CDLr|Df># 282 }]b2+T8O m 43. CHECKING B~DsFG<P;ADZ(j6# >XBqj6 VARCHAR(10) FOR BIT DATA sFB~"z1}Z9CD>XBqj6#bGw*BqU>;?V D SQLU_TID a9# +VBqj6 VARCHAR(30) FOR BIT DATA sFB~"z1}Z9CD+VBqj6#bGw*BqU>;?V D SQLP_GXID a9PD}]VN# M'zC'j6 VARCHAR(255) sFB~"z1 CURRENT CLIENT USERID (CDfwD5# M'z$w>{F VARCHAR(255) sFB~"z1 CURRENT CLIENT_WRKSTNNAME (CDfwD 5# M'z&CLr{F VARCHAR(255) sFB~"z1 CURRENT CLIENT_APPLNAME (CDfwD5# M'zGJV{. VARCHAR(255) sFB~"z1 CURRENT CLIENT_ACCTNG (CDfwD5# IEOBD{F VARCHAR(255) kIE,SX*DIEOBDD{F# ,SEN`M INTEGER I\D5|(: IMPLICIT_TRUSTED_CONNECTION EXPLICIT_TRUSTED_CONNECTION LPDG+ VARCHAR(128) (}IE,SLPDG+# CHECKING CJz<-r TBPmT>KI\D CHECKING CJz<-r# k " b , s FG< I \ | , ` v C J z < - r , } g : access approval reason=DATAACCESS,ACCESSCTRL;#1fZ`vCJz<-r1,C'Xk_PQyw DyP(^MX(,E\(}Ty"TCJDZ(li# 0x00000000000000000000000000000001 ACCESS DENIED 4zKI\D CHECKING CJ"T`M# g{sFB~G CHECKING_TRANSFER,G4sFn+43Gq_PX(# 0x00000000000000000000000000000001 CONTROL "Ti$Gq_P CONTROL X(# 0x00000000000000000000000000000002 ALTER " T D d T s , r i $ G q _ P ALTER X ( ( g { s F B ~ * CHECKING_TRANSFER)# 0x00000000000000000000000000000004 DELETE " T > } T s , r i $ G q _ P DELETE X ( ( g { s F B ~ * CHECKING_TRANSFER)# 284 }]b2+T8O 0x00000000000000000000000000000008 INDEX " T9C w } , r i $ G q _ P INDEX X ( ( g { s F B ~ * CHECKING_TRANSFER)# 0x00000000000000000000000000000010 INSERT "Tek=TsP,ri$Gq_P INSERT X((g{sFB~* CHECKING_TRANSFER)# 0x00000000000000000000000000000020 SELECT "Ti/mrS<,ri$Gq_P SELECT X((g{sFB~* CHECKING_TRANSFER)# 0x00000000000000000000000000000040 UPDATE "T|BTsPD}],ri$Gq_P UPDATE X((g{sFB~* CHECKING_TRANSFER)# 0x00000000000000000000000000000080 REFERENCE "TZTsd("}C};vTs# 0x00000000000000000000000000000400 CREATEIN "TZm;v#=Z4(;vTs# 0x00000000000000000000000000000800 DROPIN "T>}Zm;v#=ZR=DTs# 0x00000000000000000000000000001000 ALTERIN "TDdr^DZm;v#=ZR=DTs# 0x00000000000000000000000000002000 EXECUTE "T4PrKP&CLrrwC}L"4(4T}LD/}(vJCZ/}) rZNN DDL odP}C}L,ri$Gq_P EXECUTE X((g{sF B~* CHECKING_TRANSFER)# 0x00000000000000000000000000004000 BIND "Ts(r<8;v&CLr# 0x00000000000000000000000000008000 SET_EVENT MONITOR "ThCB~`Sw*X# 0x00000000000000000000000000010000 SET_CONSTRAINTS "ThCT;vTsD}`vTs# 0x00000000000000000000000004000000 LOAD "TZmUdP0km# 0x00000000000000000000000008000000 USE "TZmUdP4(m,ri$Gq_P USE X((g{sFB~* CHECKING_TRANSFER)# 0x00000000000000000000000010000000 SET_SESSION_USER "T4P SET SESSION_USER od# 0x00000000000000000000000020000000 FLUSH "T4P FLUSH od# 0x00000000000000000000000040000000 STORE "Ti4 EXPLAIN_PREDICATE mPQXBE/DodD5# 0x00000000000000000000000100000000 SET_OWNER "ThCs(Lr|1k10C';%dDyP_# 0x00000000000000000000000200000000 SET_PASSTHRU "T"v SET PASSTHRU od# 0x00000000000000000000000400000000 TRANSFER "T+M;vTs# 0x00000000000000000000000800000000 ALTER_WITH_GRANT "Ti$Gq_Px GRANT !nD ALTER X(# 0x00000000000000000000001000000000 DELETE_WITH_GRANT "Ti$Gq_Px GRANT !nD DELETE X(# 0x00000000000000000000002000000000 INDEX_WITH_GRANT "Ti$Gq_Px GRANT !nD INDEX X(# 0x00000000000000000000004000000000 INSERT_WITH_GRANT "Ti$Gq_Px GRANT !nD INSERT X(# 0x00000000000000000000008000000000 SELECT_WITH_GRANT "Ti$Gq_Px GRANT !nD SELECT X(# 286 }]b2+T8O 0x00000000000000000000010000000000 UPDATE_WITH_GRANT "Ti$Gq_Px GRANT !nD UPDATE X(# 0x00000000000000000000020000000000 REFERENCE_WITH_GRANT "Ti$Gq_Px GRANT !nD REFERENCE X(# 0x00000000000000000000040000000000 USAGE "T9CrPr XSR Ts,ri$Gq_P USAGE X((g{sFB~* CHECKING_TRANSFER)# 0x00000000000000000000080000000000 SET ROLE "ThCG+# 0x00000000000000000000100000000000 EXPLICIT_TRUSTED_CONNECTION "T("T=IE,S# 0x00000000000000000000200000000000 IMPLICIT_TRUSTED_CONNECTION "T("~=IE,S# 0x00000000000000000000400000000000 READ "TA!+Vd?# 0x00000000000000000000800000000000 WRITE "T4k+Vd?# 0x00000000000000000001000000000000 SWITCH_USER "TZT=IE,SOP;C'j6# 0x00000000000000000002000000000000 AUDIT_USING "T+sF_Tk;vTsX*# 0x00000000000000000004000000000000 AUDIT_REPLACE "Tf;k;vTsX*DsF_T# 0x00000000000000000008000000000000 AUDIT_REMOVE "T}%k;vTsX*DsF_T# 0x00000000000000000010000000000000 AUDIT_ARCHIVE "Ti5sFU># 0x00000000000000000020000000000000 AUDIT_EXTRACT "Ti!sFU># 0x00000000000000000040000000000000 AUDIT_LIST_LOGS "TP>sFU># 0x00000000000000000080000000000000 IGNORE_TRIGGERS "TvTk}]bTs`X*D%"w# 0x00000000000000000100000000000000 PREPARE "T$`k SQL od,"RC';5PXhDTs6pX(r DATAACCESS (^# 0x00000000000000000200000000000000 DESCRIBE "Thvod,"RC';5PXhDTs6pX(r DATAACCESS (^# 0x00000000000000000400000000000000 SET_USAGELIST "ThCC(Pm4,# Z 11 B sFh)G<K OBJMAINT B~DsFGsFG<: timestamp=1998-06-24-08.42.41.957524; category=OBJMAINT; audit event=CREATE_OBJECT; event correlator=3; event status=0; database=FOO; userid=boss; authid=BOSS; application id=*LOCAL.newton.980624124210; application name=testapp; package schema=NULLID; package name=SQLC28A1; package section=0; object schema=BOSS; object name=AUDIT; object type=TABLE; m 44. OBJMAINT B~DsFG<,dP I&DB~ >=0 '\DB~ <0 }]b{F CHAR(8) *dzIKB~D}]bD{F#g{|G5}6psFB~,G4 *UW# C'j6 VARCHAR(1024) sFB~"z1DC'j6# Z(j6 VARCHAR(128) sFB~"z1DZ(j6# -Zjb*:s FG VARCHAR(64) sFB~"z1}Z9CDLr|Df># 2+_T{F VARCHAR(128) 2+_TD{F(g{Ts`MG TABLE "RCmk2+_T`X* D0)# DdYw VARCHAR(32) X(DdYw I\D5|(: v ADD_PROTECTED_COLUMN v ADD_COLUMN_PROTECTION v DROP_COLUMN_PROTECTION v ADD_ROW_PROTECTION v ADD_SECURITY_POLICY v ADD_ELEMENT v ADD COMPONENT v USE GROUP AUTHORIZATIONS v IGNORE GROUP AUTHORIZATIONS v USE ROLE AUTHORIZATIONS v IGNORE ROLE AUTHORIZATIONS v OVERRIDE NOT AUTHORIZED WRITE SECURITY LABEL v RESTRICT NOT AUTHORIZED WRITE SECURITY LABEL \#$DP{ VARCHAR(128) g { D d Y w G ADD_COLUMN_PROTECTION r DROP_COLUMN_PROTECTION,G4bG\0lDP{# P2+jE VARCHAR(128) #$“P{”VNP8(DPD2+jE# 2+jEP{ VARCHAR(128) |,#$PD2+jEDP{# >XBqj6 VARCHAR(10) FOR BIT DATA sFB~"z1}Z9CD>XBqj6#bGw*BqU>;?V D SQLU_TID a9# +VBqj6 VARCHAR(30) FOR BIT DATA sFB~"z1}Z9CD+VBqj6#bGw*BqU>;?V D SQLP_GXID a9PD}]VN# M'zC'j6 VARCHAR(255) sFB~"z1 CURRENT CLIENT USERID (CDfwD5# M'z$w>{F VARCHAR(255) sFB~"z1 CURRENT CLIENT_WRKSTNNAME (CDfwD 5# M'z&CLr{F VARCHAR(255) sFB~"z1 CURRENT CLIENT_APPLNAME (CDfwD5# M'zGJV{. VARCHAR(255) sFB~"z1 CURRENT CLIENT_ACCTNG (CDfwD5# IEOBD{F VARCHAR(128) kIE,SX*DIEOBDD{F# ,SEN`M INTEGER I\D5|(: IMPLICIT_TRUSTED_CONNECTION EXPLICIT_TRUSTED_CONNECTION LPDG+ VARCHAR(128) (}IE,SLPDG+# Ts#i VARCHAR(128) TsytD#iD{F# Z 11 B sFh)G<K SECMAINT B~DsFGsFG<: timestamp=1998-06-24-11.57.45.188101; category=SECMAINT; audit event=GRANT; event correlator=4; event status=0; database=FOO; userid=boss; authid=BOSS; application id=*LOCAL.boss.980624155728; application name=db2bp; package schema=NULLID; package name=SQLC28A1; package section=0; object schema=BOSS; object name=T1; object type=TABLE; grantor=BOSS; grantee=WORKER; grantee type=USER; privilege=SELECT; m 45. SECMAINT B~DsFG<,dP I&DB~ >=0 '\DB~ <0 }]b{F CHAR(8) *dzIKB~D}]bD{F#g{|G5}6psFB~,G4 *UW# C'j6 VARCHAR(1024) sFB~"z1DC'j6# Z(j6 VARCHAR(128) sFB~"z1DZ(j6# -G+{F: v ADD_DEFAULT_ROLE v DROP_DEFAULT_ROLE v ALTER_DEFAULT_ROLE v ADD_USER v DROP_USER v ALTER_USER_ADD_ROLE v ALTER_USER_DROP_ROLE v ALTER_USER_AUTHENTICATION g{Ts`MVN* ACCESS_RULE,G4KVN|,frD{F#k frX*D2+_T{f"Z“Ts#=”VNP# g{Ts`MVN* SECURITY_LABEL,G4KVN|,2+jED {F#,P2+jED2+_TD{Ff"Z“Ts#=”VNP# Ts`M VARCHAR(32) *dzIsFB~DTsD`M#I\D5|(:T>Zjb*:s FGIEOBDTs: v ADD_DEFAULT_ROLE v DROP_DEFAULT_ROLE v ALTER_DEFAULT_ROLE v ADD_USER r DROP_USER v ALTER_USER_ADD_ROLE v ALTER_USER_DROP_ROLE v ALTER_USER_AUTHENTICATION ;Z(_`M VARCHAR(32) ;Zhr7z(^D;Z(_D`M#1sFB~*BPNN;n 1,I\D5|( USER"GROUP"ROLE"AMBIGUOUS M TRUSTED_CONTEXT: v ADD_DEFAULT_ROLE v DROP_DEFAULT_ROLE v ALTER_DEFAULT_ROLE v ADD_USER v DROP_USER v ALTER_USER_ADD_ROLE v ALTER_USER_DROP_ROLE v ALTER_USER_AUTHENTICATION X(r(^ CHAR(34) 8>Zhr7zDX(r(^D`M#I\D5|(:T>Zjb* :I\D SECMAINT X(r(^DPm;DwbPDG)5# 1sFB~*BPNN;n1,5* ROLE MEMBERSHIP: v ADD_DEFAULT_ROLE r DROP_DEFAULT_ROLE v ALTER_DEFAULT_ROLE v ADD_USER v DROP_USER v ALTER_USER_ADD_ROLE v ALTER_USER_DROP_ROLE v ALTER_USER_AUTHENTICATION Lr|f> VARCHAR(64) sFB~"z1}Z9CDLr|Df># 292 }]b2+T8O m 45. SECMAINT B~DsFG<XBqj6 VARCHAR(10) FOR BIT DATA sFB~"z1}Z9CD>XBqj6#bGw*BqU>;?V D SQLU_TID a9# +VBqj6 VARCHAR(30) FOR BIT DATA sFB~"z1}Z9CD+VBqj6#bGw*BqU>;?V D SQLP_GXID a9PD}]VN# Z(_`M VARCHAR(32) Z(_D`M#I\D5|(:USER# M'zC'j6 VARCHAR(255) sFB~"z1 CURRENT CLIENT USERID (CDfwD5# M'z$w>{F VARCHAR(255) sFB~"z1 CURRENT CLIENT_WRKSTNNAME (CDfwD 5# M'z&CLr{F VARCHAR(255) sFB~"z1 CURRENT CLIENT_APPLNAME (CDfwD5# M'zGJV{. VARCHAR(255) sFB~"z1 CURRENT CLIENT_ACCTNG (CDfwD5# IEOBDC' VARCHAR(128) j61sFB~* ADD_USER r DROP_USER 1DIEOBDC'# IEOBDC'O$ INTEGER 8 ( 1 s F B ~ * ADD_USER" DROP_USER r ALTER_USER_AUTHENTICATION 1DIEOBDC'DO$hC# 1 :h*O$ 0 :;h*O$ IEOBD{F VARCHAR(128) kIE,SX*DIEOBDD{F# ,SEN`M INTEGER I\D5|(: IMPLICIT_TRUSTED_CONNECTION EXPLICIT_TRUSTED_CONNECTION LPDG+ VARCHAR(128) (}IE,SLPDG+# SECMAINT X(r(^ TBPmT>KI\D SECMAINT X(r(^# 0x00000000000000000000000000000001 Control Table ZhDr7zDTmrS}mrS}CmDX(# 0x00000000000000000000000000000020 Table Index ZhDr7zDTw}DX(# 0x00000000000000000000000000000040 Table Index with GRANT TZJmZhX(Dw},ZhDr7zDTCw}DX(# 0x00000000000000000000000000000080 Table INSERT ZhDr7zDTmrSK SYSADMIN B~DsFG<sFG<: timestamp=1998-06-24-11.54.04.129923; category=SYSADMIN; audit event=DB2AUDIT; event correlator=1; event status=0; userid=boss;authid=BOSS; application id=*LOCAL.boss.980624155404; application name=db2audit; m 46. SYSADMIN B~DsFG<,dP I&DB~ >=0 '\DB~ <0 }]b{F CHAR(8) *dzIKB~D}]bD{F#g{|G5}6psFB~,G4 *UW# C'j6 VARCHAR(1024) sFB~"z1DC'j6# Z(j6 VARCHAR(128) sFB~"z1DZ(j6# - VARCHAR(64) sFB~"z1}Z9CDLr|Df># >XBqj6 VARCHAR(10) FOR BIT DATA sFB~"z1}Z9CD>XBqj6#bGw*BqU>;?V D SQLU_TID a9# +VBqj6 VARCHAR(30) FOR BIT DATA sFB~"z1}Z9CD+VBqj6#bGw*BqU>;?V D SQLP_GXID a9PD}]VN# M'zC'j6 VARCHAR(255) sFB~"z1 CURRENT CLIENT USERID (CDfwD5# M'z$w>{F VARCHAR(255) sFB~"z1 CURRENT CLIENT_WRKSTNNAME (CDfwD 5# M'z&CLr{F VARCHAR(255) sFB~"z1 CURRENT CLIENT_APPLNAME (CDfwD5# M'zGJV{. VARCHAR(255) sFB~"z1 CURRENT CLIENT_ACCTNG (CDfwD5# IEOBD{F VARCHAR(128) kIE,SX*DIEOBDD{F# ,SEN`M INTEGER I\D5|(: IMPLICIT_TRUSTED_CONNECTION EXPLICIT_TRUSTED_CONNECTION LPDG+ VARCHAR(128) (}IE,SLPDG+# VALIDATE B~DsFG<K VALIDATE B~DsFGsFG<: timestamp=2007-05-07-10.30.51.585626; category=VALIDATE; audit event=AUTHENTICATION; event correlator=1; event status=0; userid=newton; authid=NEWTON; execution id=gstager; application id=*LOCAL.gstager.070507143051; application name=db2bp; auth type=SERVER; plugin name=IBMOSauthserver; m 47. VALIDATE B~DsFG<,dP I&DB~ >=0 '\DB~ <0 }]b{F CHAR(8) *dzIKB~D}]bD{F#g{|G5}6psFB~,G4 *UW# C'j6 VARCHAR(1024) sFB~"z1DC'j6# Z(j6 VARCHAR(128) sFB~"z1DZ(j6# 4Pj6 VARCHAR(1024) sFB~"z1}Z9CD4Pj6# - VARCHAR(64) sFB~"z1}Z9CDLr|Df># e~{F VARCHAR(32) sFB~"z1}Z9CDe~D{F# >XBqj6 VARCHAR(10) FOR BIT DATA sFB~"z1}Z9CD>XBqj6#bGw*BqU>;?V D SQLU_TID a9# +VBqj6 VARCHAR(30) FOR BIT DATA sFB~"z1}Z9CD+VBqj6#bGw*BqU>;?V D SQLP_GXID a9PD}]VN# M'zC'j6 VARCHAR(255) sFB~"z1 CURRENT CLIENT USERID (CDfwD5# M'z$w>{F VARCHAR(255) sFB~"z1 CURRENT CLIENT_WRKSTNNAME (CDfwD 5# M'z&CLr{F VARCHAR(255) sFB~"z1 CURRENT CLIENT_APPLNAME (CDfwD5# M'zGJV{. VARCHAR(255) sFB~"z1 CURRENT CLIENT_ACCTNG (CDfwD5# IEOBD{F VARCHAR(128) kIE,SX*DIEOBDD{F# ,SEN`M INTEGER I\D5|(: IMPLICIT_TRUSTED_CONNECTION EXPLICIT_TRUSTED_CONNECTION LPDG+ VARCHAR(128) (}IEOBDLPDG+D{F# Z 11 B sFh)G<K CONTEXT B~DsFG<sFG<: timestamp=1998-06-24-08.42.41.476840; category=CONTEXT; audit event=EXECUTE_IMMEDIATE; event correlator=3; database=FOO; userid=boss; authid=BOSS; application id=*LOCAL.newton.980624124210; application name=testapp; package schema=NULLID; package name=SQLC28A1; package section=203; text=create table audit(c1 char(10), c2 integer); m 48. CONTEXT B~DsFG<P;ADC'j6# Z(j6 VARCHAR(128) sFB~"z1DZ(j6# 1sFB~* SWITCH_USER 1,KVN m>P;ADZ(j6# - CLOB(8M) SQL r XQuery odDD>(g{JC)#g{ SQL r XQuery o dD>;IC,G4* NULL# 300 }]b2+T8O m 48. CONTEXT B~DsFG< VARCHAR(64) sFB~"z1}Z9CDLr|Df># >XBqj6 VARCHAR(10) FOR BIT DATA sFB~"z1}Z9CD>XBqj6#bGw*BqU>;?V D SQLU_TID a9# +VBqj6 VARCHAR(30) FOR BIT DATA sFB~"z1}Z9CD+VBqj6#bGw*BqU>;?V D SQLP_GXID a9PD}]VN# M'zC'j6 VARCHAR(255) sFB~"z1 CURRENT CLIENT USERID (CDfwD5# M'z$w>{F VARCHAR(255) sFB~"z1 CURRENT CLIENT_WRKSTNNAME (CDfwD 5# M'z&CLr{F VARCHAR(255) sFB~"z1 CURRENT CLIENT_APPLNAME (CDfwD5# M'zGJV{. VARCHAR(255) sFB~"z1 CURRENT CLIENT_ACCTNG (CDfwD5# IEOBD{F VARCHAR(128) kIE,SX*DIEOBDD{F# ,SEN`M INTEGER I\D5|(: IMPLICIT_TRUSTED_CONNECTION EXPLICIT_TRUSTED_CONNECTION LPDG+ VARCHAR(128) (}IE,SLPDG+# EXECUTE B~DsFG<sFG<: ":kd{sF`p;,,ZTmq=i4sFU>1,EXECUTE `pI\aT>` vPhv;vB~#Z;uG1,P;uG<,+|Dod5_P`vu ?#DATA X|V;vVZmq=P# timestamp=2006-04-10-13.20.51.029203; category=EXECUTE; audit event=STATEMENT; event correlator=1; event status=0; database=SAMPLE; userid=smith; authid=SMITH; session authid=SMITH; application id=*LOCAL.prodrig.060410172044; application name=myapp; package schema=NULLID; package name=SQLC2F0A; package section=201; uow id=2; activity id=3; statement invocation id=0; statement nesting level=0; statement text=SELECT * FROM DEPARTMENT WHERE DEPTNO = ? AND DEPTNAME = ?; statement isolation level=CS; compilation environment= isolation level=CS query optimization=5 min_dec_div_3=NO Z 11 B sFh)G<,dPI&D B~ >=0,'\DB~ < 0# }]b{F CHAR(8) *dzIKB~D}]bD{ F#g{|G5}6psFB ~,G4*UW# C'j6 VARCHAR(1024) sFB~"z1DC'j6# Z(j6 VARCHAR(128) sFB~"z1DodZ(j 6# a0Z(j6 VARCHAR(128) sFB~"z1Da0Z(j 6# -{F VARCHAR(255) sFB~"z1 CURRENT CLIENT_WRKSTNNAME (C DfwD5# M'z&CLr{F VARCHAR(255) sFB~"z1 CURRENT CLIENT_APPLNAME (CDf wD5# IEOBD{F VARCHAR(128) kIE,SX*DIEOBD D{F# ,SEN`M INTEGER I\D5|(: IMPLICIT_TRUSTED_ CONNECTION M EXPLICIT_TRUSTED_ CONNECTION# LPDG+ VARCHAR(128) (}IE,SLPDG+# Lr|#= VARCHAR(128) sFB~"z1}Z9CDL r|D#=# Lr|{F VARCHAR(128) sFB~"z1}Z9CDL r|D{F# Lr|Z SMALLINT sFB~"z1}Z9CDL r|PDZE# Lr|f> VARCHAR(164) sFB~"z1}Z9CDL r|Df># >XBqj6 VARCHAR(10) FOR BIT DATA sFB~"z1}Z9CD> XBqj6#bGw*BqU >;?VD SQLU_TID a9# +VBqj6 VARCHAR(30) FOR BIT DATA sFB~"z1}Z9CD+ VBqj6#bGw*BqU >;?VD SQLP_GXID a9 PD}]VN# UOW j6 BIGINT zzn/D$w%*j6#K 5Z?v$w%*D&CLr j6ZG(;D# n/j6 BIGINT $w%*ZD(;n/j6# odwCj6 BIGINT ;vj6,|ITxV$w% *P`,6W6pOD3N} LwCMd{}LwC#TZ X(6W6p,|Z$w%* PG(;D# od6W6p BIGINT KPod1P'D6Wr]i 6p;?v6W6pT&;v f"}LrC'(eD/} (UDF) D6Wr]iwC# Z 11 B sFh)G< CLOB(8M) SQL r XQuery odDD> (g{JC)# odtk6p CHAR(8) KPod1TCodP'Dt k5# I\D5|(: v NONE(48(tk6p) v UR(4d5DA) v CS(NjH(T) v RS(AH(T) v RR(IX4A) `k73hv BLOB(8K) `k SQL od19CD`k7 3 # I a ) K * X w * COMPILATION_ENV m/}D dk,r_w* SET COMPI- LATION ENVIRONMENT SQL odDdk# ^DDP} INTEGER |,IZBPYwx>}"e kr|BD\P}: v Z>}YwI&s?F4P #I\D5>} P INTEGER r CHAR# od5}] CLOB(128K) SQL odD}]5DV{.m >#LOB"LONG"XML Ma 9/`MN};fZ#UZ" 1dM1dAGVNG<* ISO q=# od5)98>{ INTEGER TKod58(D)98>{ D5#I\D5*: v 0 g{8(Dod5k8> {5VdD5`,, v -1 g{8>{58(K NULL 5, v -5 g{8>{58(K DEFAULT 5, v -7 g{8>{58(K UNASSIGNED 5# >X*<1d CHAR(26) Kn/ZVxO*<$wD1 d#1Cn/;h*Lr| 1,KVNITGUV{., } g , T Z CONNECT" CONNECT RESET"COMMIT M ROLL- BACK 1#5+T>X1dG <# sFB~ TZ?vsF`p,3)`MDB~I4(sFG<# AUDIT `pDB~ v ALTER_AUDIT_POLICY v ARCHIVE v AUDIT_REMOVE v AUDIT_REPLACE Z 11 B sFh)G<P;zIK5)# v START v STOP v UPDATE_DBM_CFG CHECKING `pDB~ v CHECKING_FUNCTION v CHECKING_MEMBERSHIP_IN_ROLES v CHECKING_OBJECT v CHECKING_TRANSFER CONTEXT `pDB~ v ADD_NODE v ATTACH v BACKUP_DB v BIND v CLOSE_CONTAINER_QUERY v CLOSE_CURSOR v CLOSE_HISTORY_FILE v CLOSE_TABLESPACE_QUERY v COMMIT v CONNECT v CONNECT_RESET v CREATE_DATABASE v DARI_START v DARI_STOP v DBM_CFG_OPERATION v DESCRIBE v DESCRIBE_DATABASE v DETACH v DISCOVER v DROP_DATABASE v ENABLE_MULTIPAGE 306 }]b2+T8O v ESTIMATE_SNAPSHOT_SIZE v EXECUTE v EXECUTE_IMMEDIATE v EXTERNAL_CANCEL v FETCH_CONTAINER_QUERY v FETCH_CURSOR v FETCH_HISTORY_FILE v FETCH_TABLESPACE v FORCE_APPLICATION v GET_DB_CFG v GET_DFLT_CFG v GET_SNAPSHOT v GET_TABLESPACE_STATISTIC v IMPLICIT_REBIND v LOAD_MSG_FILE v LOAD_TABLE v OPEN_CONTAINER_QUERY v OPEN_CURSOR v OPEN_HISTORY_FILE v OPEN_TABLESPACE_QUERY v PREPARE v PRUNE_RECOVERY_HISTORY v QUIESCE_TABLESPACE v READ_ASYNC_LOG_RECORD v REBIND v REDISTRIBUTE v REORG v REQUEST_ROLLBACK v RESET_DB_CFG v RESET_MONITOR v RESTORE_DB v ROLLBACK v ROLLFORWARD_DB v RUNSTATS v SET_APPL_PRIORITY v SET_MONITOR v SET_RUNTIME_DEGREE v SET_TABLESPACE_CONTAINERS v SINGLE_TABLESPACE_QUERY v SWITCH_USER Z 11 B sFh)G<P# v GLOBAL COMMIT Z+VBqZ4Pd5 v GLOBAL ROLLBACK Z+VBqZ4PXv v RELEASE SAVEPOINT 4P RELEASE SAVEPOINT od v ROLLBACK 4P ROLLBACK od v SAVEPOINT 4P SAVEPOINT od v STATEMENT 4P SQL od v SWITCH USER ZIE,SZP;C' OBJMAINT `pDB~ v ALTER_OBJECT(zIZDd\#$Dm1MDd#i1) v CREATE_OBJECT v DROP_OBJECT v RENAME_OBJECT SECMAINT `pDB~ v ADD_DEFAULT_ROLE v ADD_USER v ALTER_DEFAULT_ROLE v ALTER SECURITY POLICY v ALTER_USER_ADD_ROLE v ALTER_USER_AUTHENTICATION v ALTER_USER_DROP_ROLE v DROP_DEFAULT_ROLE v DROP_USER v GRANT v IMPLICIT_GRANT v IMPLICIT_REVOKE v REVOKE 308 }]b2+T8O v SET_SESSION_USER v TRANSFER_OWNERSHIP v UPDATE_DBM_CFG SYSADMIN `pDB~ v ACTIVATE_DB v ADD_NODE v ALTER_BUFFERPOOL v ALTER_DATABASE v ALTER_NODEGROUP v ALTER_TABLESPACE v ATTACH_DEBUGGER v BACKUP_DB v CATALOG_DB v CATALOG_DCS_DB v CATALOG_NODE v CHANGE_DB_COMMENT v CLOSE_CONTAINER_QUERY v CLOSE_TABLESPACE_QUERY v CREATE_BUFFERPOOL v CREATE_DATABASE v CREATE_DB_AT_NODE v CREATE_EVENT_MONITOR v CREATE_INSTANCE v CREATE_NODEGROUP v CREATE_TABLESPACE v DB2AUD v DB2AUDIT v DB2REMOT v DB2SET v DB2TRC v DEACTIVATE_DB v DELETE_INSTANCE v DESCRIBE_DATABASE v DROP_BUFFERPOOL v DROP_DATABASE v DROP_EVENT_MONITOR v DROP_NODEGROUP v DROP_NODE_VERIFY v DROP_TABLESPACE Z 11 B sFh)G<P;zI) v GET_USERMAPPING_FROM_PLUGIN v GET_GROUPS(Z V9.5 M|_f>P;zI) v GET_USERID(Z V9.5 M|_f>P;zI) Z 11 B sFh)G<,akT PDC ODw 1>(Z,=# ;h*ZwrXFwP(eC'J'"C'j6M\kMITCJrJ4# ":CONNECT odM ATTACH |n'VI=?ViIDC'j6#k SAM f]D C'j6D^(JG;vy=*“Domain\User”D{F,dns$H* 15 vV{# TZ20 Windows ~qw1DhC}L,I!q4(BPTs: v ZBrP4(wrXFw v ZQ*rP4(8]rXFw v ZQ*rP4(@"~qw ZBrP!q“XFw”a9C~qwI*wrXFw# C'I\*G<>Xzw,r_1Z“Windows r”P20zw1,C'I\*GXzw,;sli10rD“rXFw”,nsli“r XFw”O6DNN;v“IEr”# *Y}5wbGgNxPD,Yh DB2 5}h*~qwO$#CdCgBy>: © Copyright IBM Corp. 2013 313 ?(zw}]>K~qwTC'DO$# 1. Abdul G< TDC2 r(4,|Z TDC2 SAM }]bPGI6pD)# 2. Abdul ;sk;v DB2 }]b,S,C}]b+;`?*;Z SRV3 O: db2 connect to remotedb user Abdul using fredpw 3. SRV3 7(I6p Abdul D;C#CZiRKE"D API WHQw>Xzw (SRV3),;sQwrXFw(DC1),ns"TQwNNIEr#Z TDC2 OR =C'{ Abdul#KQw3rh*C'MiD%v{FUd# 4. ;s SRV3: a. Z TDC2 Oi$C'{M\k# b. (}/J TDC2 4Kb Abdul GqG\m1# c. (}/J TDC2 4PYyP Abdul Di# _PM'zO$M Windows M'zD=8 TB>}]>KM'zTC'DO$# 1. \m1 Dale G< SRV3,"+}]b5}DO$|D*“M'z”: db2 update dbm cfg using authentication client db2stop db2start 2. Ivan Z Windows M'zOG< DC1 r(4,{Z DC1 SAM }]bPGI6p D)# 3. Ivan ;sk;v DB2 }]b,S,C}]b+;`?*;Z SRV3 O: xÞßà< “”Dc1 Windows Servr<“ ” xÞßà< “TDC2” ÙÚÚ< “”Ivan Abdul ÙÚ “” ãä ß1 ãä ß2 Þ7 " ß1 ß2 < 7. 9C Windows rDO$ 314 }]b2+T8O DB2 CONNECT to remotedb user Ivan using johnpw 4. Ivan Dzwi$C'{M\k#CZiRKE"D API WHQw>Xzw(Ivan), ;sQwrXFw(DC1),ns"TQwNNIEr#Z DC1 OR=C'{ Ivan# 5. ;s,Ivan DzwC DC1 4i$C'{M\k# 6. ;s SRV3: a. 7(I6p Ivan D;C# b. (}/J DC1 4Kb Ivan GqG\m1# c. (}/J DC1 4PYyP Ivan Di# ":Z"T,SA DB2 }]b.0,7#Qt/“DB2 2+~q”#“2+~q”Gw* Windows 20D;?V20D#;s,+20 DB2 "+|“"a”* Windows ~q, +G|;aT/t/#*t/“DB2 2+~q”,kdk NET START DB2NTSECSERVER | n# T+ViD'V(Windows) DB2 }]b53'V+Vi# *9C+Vi,Xk++Vi|(Z;v>XiP#1 DB2 }]b\mw6Y3vK ytDyPi1,|2P>C'dSytD>Xi(IZZ;v+ViP,xC+V i>mG;vr`v>XiDI1)# IZ=VI\D=8P9C+Vi: v |(Z>XiP#XkTK>XiZhmI(# v |(ZrXFwO#XkTK+ViZhmI(# Windows OD DB2 C'O$MiE" C'{Mi{^F(Windows) P;)X(Z Windows 73DV^T#&*@#f DB2 Ts|{fr2JC# v Windows BDC'{;xVs!4;+G,\kxVs!4# v C'{Mi{ITGs4V{k!4V{DiO#+G,1Z DB2 }]bP9C1, |G(#;*;*s4V{#}g,g{,S}]b"4(m schema1.table1,G4 Kmw* SCHEMA1.TABLE1 f"Z}]bP#(g{*9C!4Ts{,G4S |nP&mw"v|n"+Ts{(Z}EP,r_9CZ}= ODBC 0K$_#) v DB2 }]b\mw'V%v{FUd#4,ZIEr73PKP1,`,{FDC' J';&Z`vrPfZrZ~qwD>X SAM Mm;rPfZ# v C'{;&Cki{`,# v >Xi;&Ckr6pi_P`,{F# Windows ODiMC'O$ Z Windows O,(}9CF*“C'\mw”D Windows \m$_4(C'J'4(e C'#|,d{J'(VF*I1)DJ'G;vi# Z 12 B 9CYw532+T 315 iJm Windows \m1,1+(^MmI(ZhiZDwvC'x;XVp,$?v C'#kC'J';y,iGZ“2+TCJ\mw”(SAM)}]bP(e",$ D# P=V`MDi: v >Xi#>XiIT|(Z>XJ'}]bP4(DC'J'#g{>XiZrP D3(zwO,G4>Xi9IT|, Windows rPDrJ'Mi#g{>XiG Z$w>O4(D,G4|GX(ZC$w>D# v +Vi#+Vi;fZZrXFwO,R|,rD SAM }]bPDC'J'#4, +Vi;|,ZdO4(|DrPDC'J';|;\|,NNd{iw*I1# IZ+ViT:DrPD~qwM$w>T0IErP9C+Vi# Windows ODr.dDENX5 ENX5G=vr.dD\mM(E47#=vr.dDENX5JmZ(eC'J 'Dr.bDrP9Cb)J'M+Vi# 2mJ'E"Ti$IErP4-O$DC'J'M+ViD(^MmI(#ENX 5(}+=vr`vriOI%v\m%*4r/C'\m# ENX5PP=vr: v E5r#KrE5m;vrTO$|GDC'# v IEr#Krzm(E5)m;vrO$C'# ENX5G;I+]D#bm>h*Z=vr.dZ?v=rO("T=ENX5# }g,E5rI\;;(GIEr# 9CiMr2+TDO$ (Windows) ZhX(r(e(^6p1,DB2 }]b53Jmz8(>Xir+Vi# XZKNq g{C'DJ'GZ>Xr+ViPT=(eD,r_Gw*(e*>XiI1D+ ViI1~=(eD,G47(C'GiDI1# DB2 }]b\mw'VBP`MDi: v >Xi v +Vi v w*>XiI1D+Vi DB2 }]b\mw9CC'yZD2+T}]b46YCC'ytD>XiM+V i#DB2 }]b53a)K;V2G,^[C'J'D;CgN,X Windows ~qwO6Yi#IT9CBP|n4i5K2G: – TZ+VhC: db2set -g DB2_GRP_LOOKUP=local – TZ5}hC: db2set -i instance_name DB2_GRP_LOOKUP=local 316 }]b2+T8O "vK|n.s,Xk#9 DB2 }]b5},;st/|E\9|Dz'#; s,4(>Xi"+rJ'r+Vi|(Z>XiP# *i4hCDyP DB2 E*D~"amd?,dk db2set -all g{ DB2_GRP_LOOKUP E*D~"amd?hC* local,G4 DB2 }]b\mw;" T6YC'Z>XzwODi#g{4+CC'(e*>XiDI1r6WZ>Xi PD+ViDI1,G4i6YYwa'\#DB2 }]b\mw;a"TZCrPm; zwOrZrXFwO6YCC'Di# g{ DB2 }]b\mwZw*J4rPwrXFwr8]rXFwDzwOKP,G 4|\;R=NNIErPDNNrXFw#byD-rG:IErPD8]rXF wDrD{FvZrXFwOE\;6p# 9CCJnF4q!C'DiE"(Windows) CJnFGhvxLr_LD2+OBDDTs#CJnFPDE"|(k}Lr_ LX*DC'J'Dj6MX(# G<1,53(}HO\kk2+}]bPf"DE"4i$\k#g{\kC=O $,G453MazICJnF#zKPD?vxLy9CKCJnFD1># 2Iy]_Y:f>$q!CJnF#(}53O$.s,Yw53Ma_Y:fz D>$#1;\,SrXFw1,ITZ_Y:fP}CO;NGXiMwVri(+Vi"r>XiM(C i)# ":9C6L,S1,49tCKCJnF'V,9CM'zO$Dii/2;\' V# *tCCJnF'V,Xk9C db2set |n4|B DB2_GRP_LOOKUP "amd?# DB2_GRP_LOOKUP n`IT_P=vN},|GT:EVt: v Z;vN}CZ+3Dii/,ITICBP5:“”"“LOCAL”r“DOMAIN”# v Z ~ v N } CZn F y = i i / , I T I C B P 5 : “TOKEN”"“TOKENDOMAIN”r“TOKENLOCAL”# g{8(KZ~vN}(TOKEN"TOKENDOMAIN r TOKENLOCAL),G4|EHZ+3D i6Y#g{nFi6Y'\,G4Z8(K DB2_GRP_LOOKUP DZ;vN}DivB, axP+3Dii/# 5 TOKEN"TOKENDOMAIN M TOKENLOCAL D,egBy>: v TOKENLOCAL nFC4Z>XzwO6Yi(b`1Z+3D“LOCAL”ii/)# v TOKENDOMAIN nFC4Z(eC'D;C(TZ>XC',*>Xzw,TZrC',r*r) 6Yi#b`1Z+3D“”r“DOMAIN”ii/# v TOKEN Z 12 B 9CYw532+T 317 nFC4ZrM>XzwO6Yi#TZ>XC',5XDi+|,>Xi#TZ rC',5XDi+|,rM>Xi#TOKEN N}D5;HZii/N}5:“ ”"“LOCAL”r“DOMAIN”# }g,DB2_GRP_LOOKUP DTBhCtCCJnF'VTc6Y>Xi: db2set DB2_GRP_LOOKUP=LOCAL,TOKENLOCAL B;>}tCCJnF'V,TcZ>XzwT0(eC'j6D;C(g{J'G ZrP(eD)6Yi: db2set DB2_GRP_LOOKUP=,TOKEN nsbv>}tCCJnF'V,TcZ(eC'j6D;C6Yri: db2set DB2_GRP_LOOKUP=DOMAIN,TOKENDOMAIN ":ITyPO$`M(CLIENT O$}b)tCCJnF'V# DB2_GRP_LOOKUP 73d?M DB2 i6Y (Windows) Z Windows O,C'ITtZr6pO(eDiM/r>XzwO(eDi# DB2_GRP_LOOKUP 73d?XFGZ>XzwO9GZ(eC'D;C(TZ>XC', *>Xzw;TZrC',r*r6p)6Yi#rK,12+T\m1Zh(^M X(1,Xk"b4$ZhC DB2_GRP_LOOKUP,7#}7C'SU=$ZDZ(# g{4hC DB2_GRP_LOOKUP E*D~"amd?,G4: 1. DB2 }]b53WH"TZ,;zwOiRC'# 2. g{C'{GT>X==(eD,G4T>X==O$CC'# 3. g{Z>XR;=CC',G4 DB2 }]b53a"TZ|DrOiRCC'{, ;sZIErOxPiR# }g,kXi GROUP1# 2. 2+T\m1(5P SECADM (^)+ DBADM (^Zhi GROUP1# GRANT DBADM ON database TO GROUP GROUP1 3. r*4hC DB2_GRP_LOOKUP,yTaZ(eC'D;C6Yi#rK,aZr6p O6Y DUSER1 Di#r*Zr6pO DUSER1 ;tZi GROUP1,yT DUSER1 ;aSU= DBADM (^# Kb,kX Administrators i# 2. r*4hC sysadm_group dCN},yT>X Administrators iDI1aT/5P SYSADM (^# 3. C' DUSER2 \;"v UPGRADE DATABASE |n(r* DUSER2 5P SYSADM (^)#UPGRADE DATABASE |n+T*}6D}]bD DBADM (^Zh SYSADM i,ZKivB,Ci* Administrators i# 4. r*4hC DB2_GRP_LOOKUP,yTaZ(eC'D;C6Yi#rK,aZr6p O6Y DUSER2 Di#r*Zr6pO DUSER2 ;tZ Administrators i,yT DUSER2 ;aSU= DBADM (^# 318 }]b2+T8O TZbViv,I\Dbv=8GxPBPdP;n|D: v hC DB2_GRP_LOOKUP = local v ZrXFwP+&C_P DBADM (^DC'mSA Administrators r GROUP1 i# IT9C SYSPROC.AUTH_LIST_AUTHORITIES_FOR_AUTHID m/}4i$C'5 PD(^,gkT DUSER1 DTB>}Py>: SELECT AUTHORITY, D_USER, D_GROUP, D_PUBLIC, ROLE_USER, ROLE_GROUP, ROLE_PUBLIC, D_ROLE FROM TABLE (SYSPROC.AUTH_LIST_AUTHORITIES_FOR_AUTHID (’DUSER1’, ’U’) ) AS T ORDER BY AUTHORITY IT9C SYSPROC.AUTH_LIST_GROUPS_FOR_AUTHID m/}4i$ DB2 }]b \mwQ7(C'ytDi,gkT DUSER1 DTB>}Py>: SELECT * FROM TABLE (SYSPROC.AUTH_LIST_GROUPS_FOR_AUTHID (’DUSER1’)) AS T ":g{Zr6pM>XzwO9C`,i{,G4r* DB2 }]b\mw;Pj+ ^(b)i,yTbID DB2 ~qw'V,;x,g{M'zM~qw<; ;Z Windows 73P,G4+;a?F9C DB2DOMAINLIST# r2+T'V(Windows) TB>}5wK DB2 }]b\m53ITgN'V Windows r2+T#r*C'{ k>XiZ,;rO,yTITxP,S# ZTB=8P,r*C'{k>Xr+ViZ,;rO,yTITxP,S# Z 12 B 9CYw532+T 319 "b,C'{k>Xr+Vi^hZKP}]b~qwDrO(e,+|GXkZ, ;vrO# m 50. 9CrXFwDI&,S Domain1 Domain2 fZk Domain2 DENX5# v fZk Domain1 DENX5# v (eK>Xr+Vi grp2# v (eKC'{ id2# v C'{ id2 G grp2 D;?V# DB2 ~qwZKrPKP#SKrP"vKBP DB2 | n: REVOKE CONNECT ON db FROM public GRANT CONNECT ON db TO GROUP grp2 CONNECT TO db USER id2 (h>Xr+Vr,+R;= id2#(hr2+T# ZKrPR=C'{ id2#DB2 q!XZKC'{Dd{E "(4,|Gi grp2 D;?V)# r*C'{k>Xr+ViZ,;rO,yTITxP, S# (eD)C'5P SYSADM (^(Windows) g{4hC}]b\mwdCN} sysadm_group(4,|* NULL),G43)C'_ P SYSADM (^# b)C'*: v >X Administrators iDI1 v rXFwP Administrators iDI1(1 DB2 }]b\mwdC*Z(eC'D; CO6Yb)C'Di1;I9C DB2_GRP_LOOKUP 73d?4dCi6Y) v DB2ADMNS iDI1(1tCK Windows )92+T1)#DB2ADMNS iD; CZ20Zd7(# v LocalSystem J' Z3)ivB,H0a=D1!P*";OJ#IT(}BPdP;V=(9C}] b\mwdCN} sysadm_group 42GKP*: v Z DB2 ~qwO4(>Xi"rCimSk*Cd5P SYSADM (^DC'(r C'r>XC')#DB2 }]b\mw&dC*Z>XzwO6YC'Di# v 4(ri"rCimSk*Cd5P SYSADM (^DC'#DB2 }]b\mw&d C*Z(eC'D;CO6Yb)C'Di# ;s,9CBP|n+}]b\mwdCN} sysadm_group |B*Ki: DB2 UPDATE DBM CFG USING SYSADM_GROUP group_name DB2STOP DB2START 320 }]b2+T8O Windows >X53J''V Z Windows =(O,DB2 }]b53'V&CLr(}>X~=,SZ>X53J' (LSA) 73BKP#>X53J'DZ(j6G SYSTEM# g{9CG"ofD Windows Yw53,G4h*li>X53J'DZ(j6Gq |,^'V{#}g,g{9C(ofD Windows Yw53, G4>X53J'* Système,+z;\+KJ'CwZ(j6,r*|_P^'V{ è# 1}]b\mwdCN} sysadm_group hC* NULL 1,>X53J'a;O*G 53\m1(5P SYSADM (^)# g{h*&CLrZ>X53J'73BKPT4P;tZ SYSADM wCrZD}] bYw,G4Xk+XhD}]bX(r(^Zh>X53J'#}g,g{&CL rh*}]b\m1&\,k9C GRANT(}]b(^)od+ DBADM (^Zh >X53J'# TZ`4*(}KJ'KPD&CLrD*"_,{Gh**@ DB2 }]b53T# ={T“SYS”*7DTsP;)^F#rK,g{&CLr|,4( DB2 }]bTsD DDL od,G4&C4BP*s`4b)&CLr: v TZ2,i/,|G&Ck QUALIFIER !nD5(x;G1!5 SYSTEM)s( Z;p# v TZ/,i/,*4(DTs&9C DB2 }]b\mw'VD#={T=^(,r _Xk+ CURRENT SCHEMA DfwhC* DB2 }]b\mw'VD#={# DB2 }]b5}t/s,aZxPWNii/ks1U/>X53J'DiE","R XBt/5}.0;a"BKE"# 9C DB2ADMNS M DB2USERS iD)9 Windows 2+T 1!ivB,Z Windows Yw53O,aZ} IBM Data Server Runtime Client M DB2 }/Lr.bDyP DB2 }]bz7PtC)92+T#Z Windows =(O,IBM Data Server Runtime Client M DB2 }/Lr;'V)92+T# 120 DB2 }]bz71,tCYw532+T4!ravVZT DB2 TstCY w532+TfeO#}G{CK!n,qr,20Lra4(=v B i : DB2ADMNS M DB2USERS#DB2ADMNS M DB2USERS G1!i{;IT!qZ2 01*b)i8(;,D{F(g{!q2,20,G4ITZ20l&D~Z|D b){F)#g{!q9C53OQfZDi,zXk*@byva^Db)iDX (#+y]h*Tb)iZhBmPyP>DX(#XkKbb)iGCZZYw5 36xP#$,xk DB2 (^6p(}g,SYSADM"SYSMAINT M SYSCTRL); PNNX*#+G,}]b\m1ITy]20_r\m1D*sT;vryP DB2 ( ^6p9C DB2ADMNS i,x;9C1! Administrator i#(i:g{*8(DG SYSADM i,G4y9CDi&CG DB2ADMNS i#CiITZ20Zdr20T sI\m1("# ":IT+ DB2 Administrators i(DB2ADMNS r_Z20Zd!qD{F)M DB2 C'i(DB2USERS r_Z20Zd!qD{F)8(*>Xirri#b=viXk tZ,;`M,4,*4Xi,*4XFczi, G4Xk|B+V"am DB2_ADMINGROUP M DB2_USERSGROUP#*ZX|{. s|B"amd?"XBt/Fcz,kKPTB|n: 1. r*|na>{# 2. KP db2extsec |nT|B2+ThC: db2extsec -a new computer name\DB2ADMNS -u new computer name\DB2USERS ":g{Z Windows Vista OD DB2 }]bz7PtCK)92+T,G4;PtZ DB2ADMNS iDC'EITKP DB2 zP(4PCD~,+GTZ?<,|m>zP(/@C?<# mkivB,yP DB2 \m1<&CG DB2ADMNS iDI1(,12G>X Admin- istrators iDI1),+5JOTK";POq*s#h*CJ DB2 }]b53DNN KX Adminis- trators iDI1,byzEP(^D\#$TsD ACL# zITy]h*`NKP db2extsec |n,+KPj.s,z+;\{C)92+T, }GZ?N4P db2extsec .s"4"v db2extsec -r |n# 322 }]b2+T8O }%)92+T "b: ZtC)92+T.s,k;*}%)92+T,}GxTh*byv# IT(}KP db2extsec -r |n4}%)92+T,+G,;PZtC)92+Ts P44Pd{}]bYw(}g,4(}]b"4(BD5}MmSmUdHH)1 K|nEaI&#CZ}%)92+T!nDn2+D=(G6X DB2 }]b53, >}yP`XD DB2 ?<(|(}]b?<),;sZ;tC)92+TDivBX B20 DB2 }]b53# \#$DTs IT9C DB2ADMNS M DB2USERS i#$D2,Ts*: v D~53 – D~ – ?< v ~q v "am| IT9C DB2ADMNS M DB2USERS i#$D/,Ts*: v IPC J4,b|(: – \@ – EE – B~ v 2mZf DB2ADMNS M DB2USERS i5PDX( BmP>K8(x DB2ADMNS M DB2USERS iDX(: m 51. DB2ADMNS M DB2USERS iDX( X( DB2ADMNS DB2USERS -r 4(jGTs (SeCreateTokenPrivilege) Y N jG&m(3)jG&mYwh*,CZO$ MZ() f ; x L 6 pjG (SeAssignPrimaryTokenPrivilege) YNTm;vC'm]4(xL vS^n (SeIncreaseQuotaPrivilege) Y N Tm;vC'm]4(xL w*Yw53D?~ (SeTcbPrivilege) Y N LogonUser(Windows XP .0Df>*KxP O$x4P LogonUser API 1h*) zI2+TsF (SeSecurityPrivilege) Y N &msFM2+TU> 5PD ~ r d { T s D y P ( (SeTakeOwnershipPrivilege) YN^DTs ACL v s w H E H 6 (SeIncreaseBasePriorityPrivilege) YN^DxL$w/ Z 12 B 9CYw532+T 323 m 51. DB2ADMNS M DB2USERS iDX( (x) X( DB2ADMNS DB2USERS -r 8]D~M?< (SeBackupPrivilege) Y N E*D~/"am&m(4P3)C'E*D~ M " a m & m}L 1 h * : LoadUserProfile" RegSaveKey(Ex) "RegRestoreKey"RegReplaceKey M RegLoadKey(Ex)) 4-D~M?< (SeRestorePrivilege) Y N E*D~/"am&m(4P3)C'E*D~ M " a m & m}L 1 h * : LoadUserProfile" RegSaveKey(Ex) "RegRestoreKey"RegReplaceKey M RegLoadKey(Ex)) wTLr (SeDebugPrivilege) Y N jG&m(3)jG&mYwh*,CZO$ MZ() \ m s F M 2 + T U > (SeAuditPrivilege) YNzIsFU>u? w*~qG< (SeServiceLogonRight) Y N w*~qKP DB2 S x g C J K F c z (SeNetworkLogonRight) YYJmxg>$(Jm DB2 }]b\mw9C LOGON32_LOGON_NETWORK !n4O$, baTT\zz0l) Z O $.s 0 d M 'z (SeImpersonatePrivilege) YNM'z0{(Windows ZJm9C3) API 4 0 d DB2 M 'z1 h * : ImpersonateLoggedOnUser"ImpersonateSelf M RevertToSelf H) x ( Z f P D 3 (SeLockMemoryPrivilege) YNs3'V 4(+VTs (SeCreateGlobalPrivilege) Y Y Terminal Server 'V(Windows Oh*) Windows 2008 M Windows Vista r|_f>D"bBn:C' CJXF&\?~ Windows 2008"Windows Vista M Windows 7 D“C'CJXF”(UAC) &\?~+T BP==0l DB2 }]b53# TyP\mX(t/&CLr 1!ivB,Z Windows 2008"Windows Vista M Windows 7 O,vTjX\m12GgK#*T|`X(4t/&CLr, h*STyP\mX(KPD|n0ZPt/|n#DB2 20}L+XX* Windows 2008"Windows Vista M Windows 7 C'4(;vF*“|n0Z - \m1”Dl]= =#g{zkKP\m|n,G4(izt/Kl]==# 1z;PyP\mX(1,g{"TZ Windows 2008"Windows Vista M Windows 7 O(}|na>{rzDCJ;\x"R+^(I&jIb)Nq# *7(4PDYwGq*\mNq,liGq{OTBNNiv: v h* SYSADM"SYSCTRL r SYSMAINT (^ 324 }]b2+T8O v a^D"amP HKLM V'BD"am| v 4k Program Files ?} DB2 5} v t/M#9 DB2 5} v 4(}]b v |B}]b\mwdCN}r DB2 \m~qw(DAS)dCN} v |B CLI dCN}MdC53}]4{F(DSN) v t/ DB2 zY$_ v KP db2pd 5CLr v |D DB2 E*D~"amd? *bvKJb,Xk9Cj+\m1X(KPD|na>{r{rD{F(1!ivB,DB2COPY1 G20DZ;v 1>D{F)#Z} Windows 2008"Windows Vista M Windows 7 .bDd{ Win- dows f>O,C'}]f"Z Documents and Settings\All Users\Application Data\ IBM\DB2\copy_name P# DB2 M UNIX 2+T h*Kb;)X(Z UNIX =(D2+T"bBn# DB2 }]b;'V root C'1Sd1}]b\m1#&9C su - w*}]b\m1# (#,*K2+p{,k;*9C5}{w* Fenced ID#+G,g{rc;9C\@ $D UDF rf"}L,G4IT+ Fenced ID hC*5}{,x;C4(m;vC' j6# (i4(;v;O*kKi`X*DC'j6#+\@$D UDF Mf"}LDC'8 (*5}4(E>DN}(db2icrt ... -u )#g{20K“DB2 M'z ”r“DB2 m~*"_$_d”,G4;h*byv# DB2 M Linux 2+T I\h*Kb;)X(Z Linux =(D2+T"bBn# |D\k'V(Linux) Z Linux Yw53O,DB2 }]bz7'V|D\k# Z 12 B 9CYw532+T 325 K'VG(}9CF* IBMOSchgpwdclient.so M IBMOSchgpwdserver.so D2+e~ b5VD# *Z Linux OtC\k|D'V,k+}]b\mwdCN} clnt_pw_plugin hC* IBMOSchgpwdclient,+ srvcon_pw_plugin hC* IBMOSchgpwdserver# ,19XkZ /etc/pam.d ?9CKD~: auth required pam_unix2.so nullok account required pam_unix2.so password required pam_pwcheck.so nullok tries=1 password required pam_unix2.so nullok use_authtok use_first_pass session required pam_unix2.so Z RHEL O,IT4gBy>9CKD~: #%PAM-1.0 auth required /lib/security/$ISA/pam_env.so auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok auth required /lib/security/$ISA/pam_deny.so account required /lib/security/$ISA/pam_unix.so account sufficient /lib/security/$ISA/pam_succeed_if.so uid < 100 quiet account required /lib/security/$ISA/pam_permit.so password requisite /lib/security/$ISA/pam_cracklib.so retry=3 dcredit=-1 ucredit=-1 password sufficient /lib/security/$ISA/pam_unix.so nullok use_authtok md5 shadow remember=3 password required /lib/security/$ISA/pam_deny.so session required /lib/security/$ISA/pam_limits.so session required /lib/security/$ISA/pam_unix.so 3. tC DB2 5}PD2+e~: a. +}]b\mwdCN} SRVCON_PW_PLUGIN D5|B* IBMOSchgpwdserver: 326 }]b2+T8O db2 update dbm cfg using srvcon_pw_plugin IBMOSchgpwdserver b. +}]b\mwdCN} CLNT_PW_PLUGIN D5|B* IBMOSchgpwdclient: db2 update dbm cfg using CLNT_PW_PLUGIN IBMOSchgpwdclient c. 7#+}]b\mwdCN} SRVCON_AUTH D5hC* CLIENT"SERVER" SERVER_ENCRYPT"DATA_ENCRYPT r DATA_ENCRYPT_CMP,r_+}]b\mwd CN} SRVCON_AUTH D5hC* NOT_SPECIFIED,"+ AUTHENTICATION D5h C* CLIENT"SERVER"SERVER_ENCRYPT"DATA_ENCRYPT r DATA_ENCRYPT_CMP# Z 12 B 9CYw532+T 327 328 }]b2+T8O =< A. DB2 Lr – LL v DB2 i. – PDF D~(IBX) – PDF D~(Z DB2 PDF DVD P) – !"fi. v |nPoz – |noz – {"oz ":DB2 E"PDwbD|B5JH PDF i.r2=4i.D|B5J_#*q!n BE",k20ICDD5|Br_ND ibm.com OD DB2 E"PD# zITZ_CJ ibm.com ODd{ DB2 c:http:// www.ibm.com/software/data/sw-library/# D54! RGG#XSzT DB2 D5D4!#g{zkMgNDF DB2 D5av(i,kr db2docs@ca.ibm.com "MgSJ~#DB2 D5!i+DAzDyP4!,+^(1S xzp4#k!I\a)_eD>},byRGE\|CXKbzyXDDJb#g {z*a)PX_ewbrozD~D4!,kSOjbM URL# k;*9CTOgSJ~X7k DB2 M''Vz9*5#g{zv=D5^(bvD DB2 M-kf># !\b)mj6i.P!"f,+I\4ZzyZzRrXxa)# ?N|BVa1,m%EDVaDnBf># ":DB2 E"PDD|B5JH PDF r2=4i.D|B5J_# © Copyright IBM Corp. 2013 329 m 52. DB2 SQL 4,oz DB2 z7kTI\d1 SQL oda{Du~5X SQLSTATE 5#SQLSTATE oz 5w SQL 4,M SQL 4,`zkD,e# }L *t/ SQL 4,oz,kr*|nP&mw"dk: ? sqlstate or ? class code =< A. DB2 P'D 5 ; SQL 4,,class code m>C SQL 4,D0 2 ;# }g,? 08003 T> 08003 SQL 4,Doz,x ?08T> 08 `zkDoz# CJ;,f>D DB2 E"PD zITZ ibm.com® OD;,E"PDPR=d{f> DB2 z7DD5# XZKNq TZ DB2 V10.1 wb,DB2 E"PD URL G http://publib.boulder.ibm.com/infocenter/ db2luw/v10r1# TZ DB2 V9.8 wb,DB2 E"PD URL G http://publib.boulder.ibm.com/infocenter/ db2luw/v9r8/# TZ DB2 V9.7 wb,DB2 E"PD URL G http://publib.boulder.ibm.com/infocenter/ db2luw/v9r7/# TZ DB2 V9.5 wb,DB2 E"PD URL G http://publib.boulder.ibm.com/infocenter/ db2luw/v9r5# TZ DB2 V9.1 wb,DB2 E"PD URL G http://publib.boulder.ibm.com/infocenter/ db2luw/v9/# TZ DB2 V8 wb,k*A DB2 E"PD URL:http://publib.boulder.ibm.com/infocenter/ db2luw/v8/# |B20ZFczrZ?x~qwOD DB2 E"PD 20Z>XD DB2 E"PDXk(ZxP|B# *<.0 XkQ20 DB2 V10.1 E"PD#PXj8E",kND20 DB2 ~qwPD“9C DB2 20r<420 DB2 E"PD”wb#yPJCZ20E"PDDHvu~M^ F,yJCZ|BE"PD# XZKNq ITT/rV/|BVPD DB2 E"PD: v T/|B+|BVPDE"PD&\?~MoT#T/|BD;vEcG,kV/ |B`H,E"PDD;IC1dOL#mb,T/|BIhC*w*(ZKPD d{z&mw5D;?VKP# v IT9CV/|B=(4|BVPDE"PD&\?~MoT#T/|BITuL |B}LPD#z1d,+g{zkmS&\?~roT,G4Xk4PV/} L#}g,g{>XE"PDnu20DG"oM(of,xVZ9*20Bo f;G4V/|B+20Bof,"|BVPE"PDD&\MoT#+G,V/ |B*szV/#9"|BMXBt/E"PD#Z{v|B}LZdE"PD; IC#ZT/|B}LP,E"PDvZ|BjIs#9$wTXBt/E"P D# 332 }]b2+T8O Kwbj85wKT/|BD}L#PXV/|BD8>E",kND“V/|B20 ZzDFczrZ?x~qwOD DB2 E"PD”wb# }L *T/|B20ZFczrZ?x~qwOD DB2 E"PD: 1. Z Linux Yw53O, a. /@AE"PDD20;C#1!ivB,DB2 E"PD20Z /opt/ibm/ db2ic/V10.1 ?: update-ic 2. Z Windows Yw53O, a. r*|n0Z# b. /@AE"PDD20;C#1!ivB,DB2 E"PD20Z \IBM\DB2 Information Center\V10.1 ? m > Program Files ?BDT0|BsD wb#g{E"PD|B;IC,G4aZU>PmS{"#U>D~;Z doc\ eclipse\configuration ?D~{FGfzzID`E#}g, 1239053440785.log# V/|B20ZFczrZ?x~qwOD DB2 E"PD g{zQZ>X20 DB2 E"PD,G4IS IBM q!D5|B"xP20# XZKNq V/|B20Z>XD DB2 E"PD*sz: 1. #9FczOD DB2 E"PD,;sT@"==XBt/E"PD#g{T@"= =KPE"PD,G4xgODd{C'+^(CJE"PD,rxzIT&C| B#DB2 E"PDD$w>f>\GT@"==KP# 2. 9C“|B”&\?~4i4ICD|B#g{PzXk20D|B,G4k9C“ |B”&\?~4q!"20b)|B# ":g{zD73*sZ;(4,SArXxDzwO20 DB2 E"PD|B,k 9C;(Q,SArXx"Q20 DB2 E"PDDzw+|B>c5qA>XD~ 53#g{xgPPm`C'+20D5|B,G4IT(}Z>X2*|B>c Fw5q"*|B>c4(zm4uL?vK4P|Byh*D1d# g{a)K|B|,k9C“|B”&\?~4q!b)|B|#+G,;PZ%z ==BE\9C“|B”&\?~# =< A. DB2 O,TsP>ZK?VD|nXk w*\m1KP#*r*_P+f\m1X(D|na>{r XFfe > \m$_ > ~q#R|%w DB2 E "PD~q,"!q#9# v Z Linux O,dkTB|n: /etc/init.d/db2icdv10 stop 2. T@"==t/E"PD# v Z Windows O: a. r*|n0Z# b. / @ A E " P D D 2 0 ; C # 1 ! i v B , DB2 E " P D 2 0 Z Program_Files\IBM\DB2 Information Center\V10.1 ? Program Files ?: help_start 531! Web /@w+r*TT>@"E"PD# 3. %w|B4%( )#(XkZ/@wPtC JavaScript#) ZE"PDDR_f eO,%wiR|B# +T>VPD5D|BPm# 4. *t/20}L,kliz*20D!n,;s%w20|B# 5. Z20xLjIs,k%wjI# 6. *#9@"E"PD,k4PBPYw: v Z Windows O,/@A20?: help_end 334 }]b2+T8O ":help_end E>|,2+X#99C help_start E>t/DxLyhD|n# ;*9CNNd{=(4#9 help_start E># 7. XBt/ DB2 E"PD# v Z Windows O,%w*< > XFfe > \m$_ > ~q#R|%w DB2 E "PD~q,"!qt/# v Z Linux O,dkTB|n: /etc/init.d/db2icdv10 start a{ |BsD DB2 E"PD+T>BDT0|BsDwb# DB2 LL DB2 LLozzKb DB2 }]bz7Dwv=f#b)NLa)Kp=8>E"# *<.0 zITZE"PDPi4 XHTML fDLL:http://publib.boulder.ibm.com/infocenter/ db2luw/v10r1/# 3)NL9CKy>}]rzk#PXdX(NqDNNHvu~Dhv,kNDL L# DB2 LL *i4LL,k%wjb# pureXML 8OPD:pureXML®; hC DB2 }]bTf" XML }]T0T>z XML }]f"w4Py>Y w# DB2 JOoOE" RGa)KwVwyDJOoOMJb7(E"4ozz9C DB2 }]bz7# DB2 D5 zITZ6JOoOMw{}]bT\7r_ DB2 E"PDD“}]by!”? VPR=JOoOE",b)E"|,TBZ]: v PXgN9C DB2 oO$_M5CLr4tkM7(JbDE"# v ;)n#{JbDbv=8# v ca)K8rnB DB2 vfo"x7*:http://www.ibm.com/support/entry/portal/Overview/ Software/Information_Management/DB2_for_Linux,_UNIX_and_Windows =< A. DB2 cD9Cun0TBunMu~# vK9C:;*#tyPD(P(yw,zMIT*vK"GL59C4Fb)vf o#4- IBM w7,b,z;ITV""9>rFwb)vfordPNN?VD] ow7# L59C:;*#tyPD(P(yw,zMITvZs5Z4F"V"M9>b) vfo#4- IBM w7,b,z;ITFwb)vfoD]ow7,r_ZzDs5 b?4F"V"r9>b)vfordPDNN?V# ({:}G>mI(Pw7Zh,qr;CZhTb)vfordP|,DNNE ""}]"m~rd{*6z(DNNmI("mI$r({,^[Gw>D9G5 ,D# IBM #ty]TmDPO,O*TvfoD9Cp&K IBM D(f(I IBM Tm7 ()r4}7q-TO8>E"1,7XK&yZh(^D({# ;Pzj+q-yPJCD(IM(f,|(yPD@zvZ(IM(f,zEIT BX"vZrYvZCE"# IBM Tb)vfoDZ];wNN#$#b)vfo“4V4”a),;=PNNV`D (^[Gw>D9G5,D)#$,|(+;^Z5,DXZJzMJCZ3VX( C>D#$# IBM Lj: IBM" IBM UjM ibm.com G International Business Machines Corp., Z +rm`\=xr"aDLjr"aLj#d{z7M~q{FI\G IBM rd{+ >DLj#10D IBM LjPm,IS Web >c www.ibm.com/legal/ copytrade.shtmlqC 336 }]b2+T8O =< B. yw >E"G*Z@za)Dz7M~q`4D#PXG IBM z7DE"GyZWNvf KD51DIqE"Raf1|B# IBM I\Zd{zRrXx;a)>D5PV[Dz7"~qr&\XT#PXz10 yZxrDz7M~qDE",krz1XD IBM zmI/#NNT IBM z7"L rr~qD}C"GbZw>r5>;\9C IBM Dz7"Lrr~q#;*;V8 IBM D*6z(,NN,H&\Dz7"Lrr~q,I\Q5Pr}Zjkk>D5Z]PXDwn({#a)>D5"4ZhC '9Cb)({DNNmI#zITCif==+mIi/Dy: IBM Director of Licensing IBM Corporation North Castle Drive Armonk, NY 10504-1785 U.S.A. PX+VZV{/ (DBCS) E"DmIi/,kkzyZzRrXxD IBM *6z( ?E*5,rCif==+i/Dy: Intellectual Property Licensing Legal and Intellectual Property Law IBM Japan, Ltd. 1623-14, Shimotsuruma, Yamato-shi Kanagawa 242-8502 Japan >un;JC"zrNNbyDunk1X(I;;BDzRrXx:International Busi- ness Machines Corporation“4V4”a)>vfo,;=PNNV`D(^[Gw>D9 G5,D)#$,|(+;^Z5,DPXGV("JzMJCZ3VX(C>D# $#3)zRrXxZ3);WP;Jmb}w>r5,D#$#rK>unI\; JCZz# >E"PI\|,JODBf>P#IBM ITf1T>JOPhvDz7M/rLrxPD xM/r|D,x;mP(*# >E"PTG IBM Web >cDNN}C<;G*K=cp{Ea)D,;TNN== d1TG) Web >cD#$#G) Web >cPDJO;GK IBM z7JOD;? V,9CG) Web >cx4DgU+IzTPP## IBM IT4|O*J1DNN==9CrV"zya)DNNE"x^kTzP#NN pN# © Copyright IBM Corp. 2013 337 >LrD;mI=g{*KbPXLrDE"To=gB?D:(i) JmZ@"4(DL rMd{Lr(|(>Lr).dxPE";;,T0 (ii) JmTQ-;;DE"xP `%9C,kkBPX7*5: IBM Canada Limited U59/3600 3600 Steeles Avenue East Markham, Ontario L3R 9Z7 CANADA ;*qXJ1DunMu~,|(3)iNBD;(}?D6Q,JOPhvDmILr0dyPICDmIJOyI IBM @] IBM M'-i"IBM zJm~mI-irNN,H-iPDuna)# K&|,DNNT\}]D5DC'&1i$dX(73DJC}]# f0G IBM z7DE"ISb)z7D)&L"dvf5wrd{I+*qCDJO Pq!#IBM ;PTb)z7xPbT,2^(7OdT\D+7T"f]TrNNd {XZG IBM z7Dyw#PXG IBM z7T\DJb&1rb)z7D)&La v# yPXZ IBM 44=rrbrDywK?jMb8xQ# >E"I\|,ZU#5qYwP9CD}]M(fD>}#*K!I\j{X5w b)>},>}PI\a|(vK"+>"7FMz7D{F#yPb){FE"|(4oTN=Dy>&CLr,b)y>5w;,Yw=(OD`L=(# g{G*4UZ`4y>LrDYw=(OD&CLr`LSZ (API) xP&CLrD *""9C"-zrV",zITNNN=Tb)y>LrxP4F"^D"V", x^kr IBM 6Q#b)>}"4ZyPu~Bw+fbT#rK,IBM ;\##r 5>b)LrDI?T"I,$Tr&\#Ky>Lr“4V4”a),R;=PNN V`D#$#TZ9CKy>Lry}pDNNp5,IBM +;P#pN# 2b)y>LrD?]=4rdNN?VrNN\zz7,Dy>Lr\zv4D# © Copyright IBM Corp. _enter the year or years_. All rights reserved. Lj IBM Lj:IBM" IBM UjM ibm.com G International Business Machines Corp., Z +rm`\=xr"aDLjr"aLj#d{z7M~q{FI\G IBM rd{+ 338 }]b2+T8O >DLj#10D IBM LjPm,IS Web >c www.ibm.com/legal/ copytrade.shtml O“f(MLjE"”?Vq!# BPwnGd{+>DLjr"aLj v Linux G Linus Torvalds Z@zM/rd{zRrXxD"aLj# v Java MyPyZ Java DLjMUjG Oracle M/rdS+>DLjr"aLj# v UNIX G The Open Group Z@zMd{zRrXxD"aLj# v Intel"Intel Uj"Intel Inside"Intel Inside Uj"Celeron"Intel SpeedStep"Itanium M Pentium G Intel Corporation rdS+>Z@zMd{zRrXxDLjr"a Lj# v Microsoft"Windows"Windows NT M Windows UjG Microsoft Corporation Z@ zM/rd{zRrXxDLj# d{+>"z7r~q{FI\Gd{+>DLjr~qjG# =< B. yw 339 340 }]b2+T8O w} [A] 2+jE (LBAC) _T j8E" 147 f]}]`M 153 9C 153 V{.q= 155 i~ 147 ARRAY i~`M 149 SET i~`M 149 TREE i~`M 149 2+T e~ ?p 185, 193, 194, 195, 196, 215, 326 u) 192 API(C'j6/\k) 231 API(ilw) 224 API(GSS-API) 252 GSS-API(?p) 195 GSS-API(^F) 252 LDAP(a?6? 269 API wC3r 271 API wC3rIEOBD 272 API wC3r,S/Pw 273 API wC3r SET SESSION AUTHORIZATION 273 API wC3r - ;fZ,SXC 272 API wC3r - }#,S 272 DATA_ENCRYPT 274 location 256 Z~qwO,$\k 17 API((E:exvZb) 259 CLIENT 6p 6 db2extsec |n 321 UNIX 325 Windows Ev 313 )9 321 C' 320 r2+T 319 [B] oz SQL od 331 s( XBs(^'| 44 #fcj6VN 95 8] 2+gU 50, 77 © Copyright IBM Corp. 2013 341 8] (x) S\ 77 >X53J' 'V 321 m ek=\ LBAC #$D 165 7zX( 44 }% LBAC #$ 174 A!1 LBAC D0l 163 CJXF 47 lwE" _PCJ(D{F 179 sF_T 85 9C LBAC #$ 145, 162 X( 44 mUd X( 37 [C] e~ 2+T f> 192 ?p 193, 194, 195, 196, 326 ms{" 218 5Xk 216 |{<( 189 ^F(e~b) 213 ^F(**) 215 ^F(GSS-API O$) 252 API 219, 223 j6O$ 231 \kO$ 231 ilw 224 GSS-API O$ 252 LDAP 197 Lr| _Pi/DCJX( 46 Z(j6 Iz 40 9C 40 yP( 45 X( 7z(Ev) 44 Ev 38 XE EXECUTE 1dAG 99 +dc2+T(TLS) Ev 64 ms IEOBD 122 P;C' 122 ms{" 2+e~ 218 [D] wT 2+e~ 192 /, SQL EXECUTE X( 46 Ts yP( 17 [F] 5Xk GSKit 68 =( X( 39 @p= g76p 183 A;7Iw 183 j8E" 183 &CLrzm 183 P4,D`cli (SMLI) 184 CJXF m 47 yZj)DCJXF 145 O$ 6 S< 47 X(ZP 145 X(ZP 145 8#HPMP kND RCAC 125 DBADM(}]b\m)(^ 49 CJnF Windows 317 ~qwO$e~ 197 [G] |B DB2 E"PD 332, 333 LBAC D0l,T 167 +C\?\ku 66 JOoO 2+e~ 192 LL 335 *zE" 335 i5 sFU>D~ 88 fr/ (LBAC) b} 160 j8E" 156 }L X( 39 342 }]b2+T8O [H] /} j? DECRYPT_BIN 52 DECRYPT_CHAR 52 ENCRYPT 52 GETHINT 52 X( 39 P ek \ LBAC #$D}] 165 }% LBAC #$ 174 |B \ LBAC #$D}] 167 >} \ LBAC #$D}] 172 9C LBAC #$ 162 9C LBAC 1A! 163 PMPCJXF kND RCAC 125 a0Z(j6 Ev 40 [J] yZj)DCJXF kND LBAC 145 G< audit 83 S\ }] 52 S\D~53 (EFS) 80 LL JOoO 335 Pm 335 Jb7( 335 pureXML 335 G+ cNa9 109 7zX( 110 4( 108 S IBM Informix Dynamic Server (F 113 j8E" 107 ki 112 WITH ADMIN OPTION Sd 111 2,}] 77 2, SQL EXECUTE X( 46 [K] IekO$#i PAM 199, 202, 203, 205 IEM'z CLIENT 62+T 6 IE,S Ev 117 ("T=IE,S 115 IEOBD Ev 117 G+I1JqLP 119 sF_T 85 Jb7( 122 M'zO$e~ 197 b 2+e~ ^F 213 Z DB2 P0k 212 )9 Windows 2+T 321 [L] }LwCLrZ(j6 40 P \ LBAC #$D ek 165 A! 163 |B 167 >} 172 LBAC #$ }% 174 mS 162 [M] \k |D Linux 326 Z~qwO,$ 17 \ku +C\? 66 \kW~ 66 |{<( Windows ^F 315 #= X( 36 [N] ZCS< AUTHORIZATIONIDS >} 178 ^FCJ 180 OBJECTOWNERS ^FCJ 180 PRIVILEGES >} 178 ^FCJ 180 w} 343 GF X( dS(}Lr| 46 [P] dC LDAP e~ 206 [Q] (F G+ 113 P; C'j6 115, 120 +Vi'V 315 (^ 2+T\m1 (SECADM) 29 S SYSCTRL P}% DBADM 26 CJXF (ACCESSCTRL) 32 Ev 17, 22 $w:X\m (WLMADM) 34 sF_T 85 }]CJ (DATAACCESS) 33 }]b\m (DBADM) 30, 35 5w\m(EXPLAIN) 35 53\m(SYSADM) 25 53`S(SYSMON) 27 53XF (SYSCTRL) 26 53,$(SYSMAINT) 26 ~=#=(IMPLICIT_SCHEMA) 35 LOAD 35 SQL \m (SQLADM) 33 (^{F lw _PmCJ(^D{F 179 _P DBADM (^D{F 179 {F,{CZhDX( 178 ZhDX( 179 *X(E"4(S< 180 1!X( 41 [R] O$ 2+e~ 185 j6M\k 185 e~ 2+T 185 ?p 193, 194, 196, 326 b;C 189 C'j6/\kO$e~D API 231 CZu audit 83 [S] O4 j8E" 156 sFU> i5 88, 94 D~{ 91 location 88 sFh) mPDsF}] 4(m 92 0km 93 Yw 83 _T 85 ms&m 101 TsG<`M 277 Ev 83 344 }]b2+T8O sFh) (x) i5 94 P* 101 G<} 47 PCJ 47 PCJ 47 X(E" 180 Z(j6 2+T#MEv 1 IEM'z 6 `M 40 j8E" 2 ~=(^ 45 LDAP 209 SETSESSIONUSER X( 36 }] 2+T Ev 1 53?< 180 ek \ LBAC #$D 165 yZjEDCJXF (LBAC) A! 163 |B 167 }] (x) yZjEDCJXF (LBAC) (x) !{#$ 174 yZj)DCJXF (LBAC) ek 165 Ev 162 mS#$ 162 S\ 52 dSCJ 50 audit 4(m 92 0kmP 93 }]b CJ Lr|PD~=X( 46 1!(^ 41 1!X( 41 yZjEDCJXF (LBAC) 145 }]bTs G+ 107 }]b6p(^ Ev 22 }]b?< mI( 5 }]b(^ 7z 28 Ev 28 (^ Ev 28 }V$i Ev 65 \m 53 w} X( Ev 39 yP( }]bTs 17, 177 [T] X( m 37 mUd 37 cNa9 17 7z Ev 44 G+ 110 Lr| 4( 38 ~= 17 Ev 17 vp 17 f. 2 dS |,GFDLr| 46 G+ 107 w} 345 X( (x) #= 36 (^ G+ 112 S< 37 w} Ev 39 yP( 17 (}IEOBDG+q! 119 53?< X(E" 177 ^FCJ 180 PXQZhX(D(^{DE" lw 178, 179 ALTER m 37 rP 39 CONTROL 37 DELETE 37 EXECUTE }L 39 GRANT od 43 INDEX 37 INSERT 37 REFERENCES 37 SELECT 37 SETSESSIONUSER 36 UPDATE 37 USAGE $w:X 39 rP 39 unMu~ vfo 336 (E:exvZb ?p 255 Ev 255 *" ms&m 270 5Xk 270 Ev 258 /}a9 267 :exa9 269 XF,S 269 ,SxX 274 ?j_-Zc 274 ^F 270 E"a9 268 API f> 269 API wC3r(;fZ,SXC) 272 API wC3r(Ev) 271 API wC3r(IEOBD) 272 API wC3r(,S/Pw) 273 API wC3r(}#,S) 272 API wC3r (SET SESSION AUTHORIZATION) 273 DATA_ENCRYPT O$ 274 |{<( 256 (E:exvZb (x) tC 257 Jb7( 258 mI( 256 0kb 258 API db2commexitDeregister 262 db2commexitFreeErrormsg 266 db2commexitInit 259 db2commexitRecv 263 db2commexitRegister 261 db2commexitSend 264 db2commexitTerm 260 db2commexitUserIdentity 265 location 256 [W] D5 Ev 329 9CunMu~ 336 !"f 329 PDF D~ 329 D~{ sFU> 91 Jb7( 2+e~ 192 LL 335 ICDE" 335 UV Ev 64 [X] 8E#HCJXF kND RCAC 125 53?< 2+T 180 lw _PmCJ(^D{F 179 _PX(D(^{F 178 _P DBADM (^D{F 179 Zh{FDX( 179 P>X( 177 53Z(j6 40 B4 j8E" 156 T=IE,S (" 115 C'j6P; 115, 120 ENX5 Windows 316 mI( ?< 5 Z(Ev 2 346 }]b2+T8O mI( (x) X(ZPD#$ 145 X(ZPD#$ 145 rP X( 39 [Y] ~=(^ \m 45 C'j6 =?V 190 P; 120 !q 3 LDAP 209 C'{ Windows ^F 315 PrrPm 319 od5`MVN 95 od5}]VN 95 od5w}VN 95 r 2+T O$ 316 ENX5 316 Windows 319 PrrPm 319 rXFw Ev 313 [Z] "amd? DB2COMM 53 (P{F (DN) 209 i CJnF 317 G+HO 112 6Y (Windows) 318 {F 315 !q 3 C'O$ 316 ii/'V j8E" 197, 210 iD6Y 318 A ACCESSCTRL(CJXF)(^ Ev 28 j8E" 32 AIX dC8w LDAP 199 O$=( 200 AIX S\D~53 (EFS) 80 ALTER X( 37, 39 alternate_auth_enc dCN} 9C AES 256 ;c(xPS\ 6 API 2+e~ Ev 223 db2secClientAuthPluginInit 236 db2secClientAuthPluginTerm 238 db2secDoesAuthIDExist 238 db2secDoesGroupExist 225 db2secFreeErrormsg 226 db2secFreeGroupListMemory 226 db2secFreeInitInfo 239 db2secFreeToken 239 db2secGenerateInitialCred 240 db2secGetAuthIDs 241 db2secGetDefaultLoginContext 243 db2secGetGroupsForUser 226 db2secGroupPluginInit 229 db2secPluginTerm 230 db2secProcessServerPrincipalName 245 db2secRemapUserid 245 db2secServerAuthPluginInit 247 db2secServerAuthPluginTerm 249 db2secValidatePassword 249 (E:exvZb Ev 259 db2commexitDeregister 262 db2commexitFreeErrormsg 266 db2commexitInit 259 db2commexitRecv 263 db2commexitRegister 261 db2commexitSend 264 db2commexitTerm 260 db2commexitUserIdentity 265 C'j6/\ke~ 231 ie~ db2secDoesGroupExist 225 db2secFreeErrormsg 226 db2secFreeGroupListMemory 226 db2secGetGroupsForUser 226 db2secGroupPluginInit 229 db2secPluginTerm 230 ilwe~ 224 archivepath N} 88 AUDIT B~ 305 audit_buf_sz dCN} 7(`4sFG} 119 CREATETAB (^ 28 CREATE_EXTERNAL_ROUTINE (^ 28 CREATE_NOT_FENCED_ROUTINE (^ 28 D DATAACCESS(}]CJ)(^ Ev 28 j8E" 33 Database Encryption Expert 77 datapath N} 88 DB2 E"PD f> 332 |B 332, 333 DB2ADMNS i (e-5P SYSADM (^ 320 j8E" 321 db2audit.log D~ 83 db2cluster |n 2+T#M 105 DB2 /:~q\m1 105 DB2COMM "amd? dC2+WSVc (SSL) 'V 53 DB2LBACRULES LBAC fr/ 156 DB2LDAPSecurityConfig 73d? Ev 206 DB2SECURITYLABEL }]`M a)w75 161 w*V{.i4 161 DB2USERS C'i j8E" 321 DB2_GRP_LOOKUP 73d? 318, 320 DB2_GRP_LOOKUP "amd? 317 DBADM(}]b\m)(^ Ev 28 lw{F 179 XFCJ 49 j8E" 30 DELETE X( 37 E efsenable |n 80 efskeymgr |n 80 efsmgr |n 80 ENABLE_SSL N} 206 Encryption Expert 77 ExampleBANK RCAC =8 2+_T 139 PmI( 141 ri 139 PZk 142 }]i/ 143 }]bm 141 }]bC'MG+ 140 ExampleHMO RCAC =8 2+_T 126 2+%"w 138 2+/} 136 2+T\m 130 ek}] 133 7z(^ 139 4(S< 135 |B}] 133 PmI( 131 ri 126 PZk 131 }]i/ 134 }]bm 128 }]bC'MG+ 127 EXECUTE `p XEn/ 99 Ev 95 sFG< 301 sFE" 98 EXECUTE B~ 305 EXECUTE X( Lr| 38 }L 39 }]bCJ 46 EXPLAIN (^ Ev 28 j8E" 35 348 }]b2+T8O F FGAC kND RCAC 125 G GRANT od Ev 43 >} 43 ~=(^ 45 GROUPNAME_ATTRIBUTE N} 206 GROUP_BASEDN N} 206 GROUP_LOOKUP_ATTRIBUTE tT 210 GROUP_LOOKUP_METHOD N} dC LDAP e~#i 206, 210 GROUP_OBJECTCLASS N} 206 GSKCapiCmd $_ dC2+WSVc (SSL) 'V 53, 60 GSKit &mfr 67 5Xk 68 bfr 67 dC2+WSVc (SSL) 'V 53, 60 GSS-API O$e~ 252 H HP-UX 8w LDAP 203 I IBM Database Encryption Expert 77 IBMLDAPSecurity.ini D~ 206 IKEYCMD $_ 53, 60 iKeyman $_ 53, 60 IMPLICIT_SCHEMA(~=#=)(^ Ev 28 j8E" 35 INDEX X( j8E" 39 INSERT X( 37 K Kerberos O$-i e~ ?p 196 4( 16 ~qw 6 Ev 11 |{ 14 tC 15 Kerberos O$-i (x) hC 12 3d 14 we 14 IBM i f]T 16 System z f]T 16 Windows f]T 16 KRB_SERVER_ENCRYPT O$`M 6 L LBAC 2+jE HO 155 7z 153 4( 153 Ev 145 f]}]`M 153 (^ 153 >} 153 j8E" 153 V{.q= 155 i~ 147 ARRAY i~`M 149 SET i~`M 149 TREE i~`M 149 2+_T Ev 145 mSAm 162 j8E" 147 2+T\m1 145 ek}] 165 }%#$ 174 A!}] 163 Ev 17, 145 |B}] 167 fr/ HO2+jE 155 Ev 156 DB2LBACRULES 156 frb}( T2+jEHOD0l 155 j8E" 160 >$ 145 >}P 172 \#$Dm 145 LDAP 2+e~ 197 e~ 206, 209 8w AIX 199 HP-UX 203 Kerberos 200 Linux 202 Solaris 205 LDAP_HOST N} 206 w} 349 Linux 2+T 325 8w LDAP 202 LOAD (^ Ev 28 j8E" 35 LocalSystem J' (^ 25 SYSADM (^ 320 N NESTED_GROUPS N} 206 O OBJMAINT B~ 305 P PRECOMPILE |n OWNER !n 45 PUBLIC T/ZhD}]b(^ 28 Q QUIESCE_CONNECT (^ 28 R RCAC =8 kND ExampleBANK RCAC =8 139 kND ExampleHMO RCAC =8 126 Ev 125 fr 125 fr\m SQL od 126 mI(PDu~, ZkPDu~, fr\m j?/}, mI(PDu~, ZkPDu~ 126 ExampleBANK kND ExampleBANK RCAC =8 139 ExampleHMO kND ExampleHMO RCAC =8 126 REFERENCES X( 37 REVOKE od Ev 44 >} 44 ~="v 45 S SEARCH_DN N} 206 SEARCH_PW N} 206 SECADM(2+T\m1)(^ Ev 28 j8E" 29 SECLABEL j?/} Ev 161 SECLABEL_BY_NAME j?/} Ev 161 SECLABEL_TO_CHAR j?/} Ev 161 SECMAINT B~ 305 SELECT X( 37 SERVER O$`M Ev 6 SERVER_ENCRYPT O$`M Ev 6 SET ENCRYPTION PASSWORD od S\\k 52 SETSESSIONUSER X( j8E" 36 Solaris Yw53 8w LDAP 205 SQL od oz T> 331 Z(j6 40 SQLADM(SQL \m)(^ Ev 28 j8E" 33 SSL \kW~ 66 dC DB2 M'z 60 DB2 5} 53 6k= SQL M'z 60 O$PD 65 }V$i 65 UV 64 -i 64 CATALOG TCPIP NODE |n 60 CLI M'z 60 CLP M'z 60 DB2 Connect 53 SSLClientKeystash ,SN} dC SSL 60 SSLClientKeystoredb ,SN} dC SSL 60 ssl_cipherspecs dCN} 8(\kW~ 53, 66 ssl_client_keystash ,SN} dC SSL 60 ssl_client_keystoredb ,SN} dC SSL 60 350 }]b2+T8O ssl_clnt_keydb dCN} dC SSL 60 ssl_clnt_stash dCN} dC SSL 60 SSL_KEYFILE 206 SSL_PW 206 SSL_RSA_FIPS_WITH_3DES _EDE_CBC_SHA \kW~ 53 ssl_svcename dCN} dC SSL 53 ssl_svr_keydb dCN} dC SSL 53 ssl_svr_stash dCN} dC SSL 53 ssl_versions dCN} dC SSL 53 SYSADM(53\m)(^ j8E" 25 Windows 320 SYSADMIN B~ 305 sysadm_group dCN} Windows 320 SYSCAT S< 2+TJb 177 SYSCTRL(53XF)(^ j8E" 26 SYSDEFAULTADMWORKLOAD $w:X 39 SYSDEFAULTUSERWORKLOAD $w:X 39 SYSMAINT(53,$)(^ j8E" 26 SYSMON(53`S)(^ j8E" 27 SYSPROC.AUDIT_ARCHIVE f"}L 88, 94 SYSPROC.AUDIT_DELIM_EXTRACT f"}L 88, 94 SYSPROC.AUDIT_LIST_LOGS f"}L 94 T TLS(+dc2+T) 64 TLS_RSA_WITH_3DES_EDE_CBC_SHA \kW~ 53, 66 TLS_RSA_WITH_AES_128_CBC_SHA \kW~ 53, 66 TLS_RSA_WITH_AES_256_CBC_SHA \kW~ 53, 66 U UDF 4\@$D 28 UPDATE X( 37 USAGE X( $w:X 39 j8E" 39 USERID_ATTRIBUTE 206 USER_BASEDN 206 USER_OBJECTCLASS 206 V VALIDATE B~ 305 Vista C'CJXF(UAC)&\?~ 324 W Windows >X53J' (LSA) 'V 321 =8 ~qwO$ 314 M'zO$ 314 )92+T 321 C'J' CJnF 317 WITH ADMIN OPTION Sd /PG+,$ 111 WITH DATA !n j8E" 95 WLMADM($w:X\m)(^ Ev 28 j8E" 34 X XQuery /, EXECUTE X( 46 2, EXECUTE X( 46 [XpV{] .NET GSKit 60 SSL 60 .Net Data Provider M'z 60 w} 351 352 }]b2+T8O  Printed in China S151-1753-02 Spine information: IBM DB2 10.1 for Linux, UNIX, and Windows }]b2+T8O 

下载文档,方便阅读与编辑

文档的实际排版效果,会与网站的显示效果略有不同!!

需要 10 金币 [ 分享文档获得金币 ] 0 人已下载

下载文档

相关文档